CVE-2026-13497 itsourcecode CVE debrief

Who should care

Organizations using itsourcecode Hospital Management System 1.0 should be aware of this vulnerability and take necessary steps to mitigate it. The vulnerability allows remote attackers to inject malicious SQL code, which could lead to unauthorized access to sensitive data. The exploit has been publicly disclosed, increasing the risk of exploitation.

Technical summary

The vulnerability is caused by the manipulation of the editid argument in the /appointment.php file of itsourcecode Hospital Management System 1.0. This allows remote attackers to inject malicious SQL code. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The vulnerability is classified as CWE-74 and CWE-89.

Defensive priority

This vulnerability has a low CVSS score of 2.1, but it is still important to prioritize patching as the exploit has been publicly disclosed. Organizations using itsourcecode Hospital Management System 1.0 should take necessary steps to mitigate this vulnerability.

Recommended defensive actions

• Patch the vulnerable system to prevent exploitation
• Implement additional security measures such as web application firewalls to detect and prevent SQL injection attacks
• Monitor the system for suspicious activity
• Conduct a thorough review of the system's code to identify and fix any other potential vulnerabilities
• Consider implementing compensating controls such as input validation and sanitization

Evidence notes

The vulnerability was published on June 28, 2026, and has not been modified since then. The exploit has been publicly disclosed and may be utilized. The CVSS score for this vulnerability is 2.1, indicating a low severity. The vulnerability is classified as CWE-74 and CWE-89.

Official resources