PatchSiren cyber security CVE debrief
CVE-2026-8785 projectworlds CVE debrief
CVE-2026-8785 describes a remotely reachable SQL injection in projectworlds hospital-management-system-in-php 1.0, specifically in getAllPatientDetail within update_info.php when the appointment_no GET parameter is manipulated. The supplied source metadata also indicates a public exploit reference and says the project was notified early via an issue report but had not responded at the time of publication. For exposed deployments, this should be treated as an active-risk application weakness, not just a theoretical flaw.
- Vendor
- projectworlds
- Product
- hospital-management-system-in-php
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Anyone operating or maintaining projectworlds hospital-management-system-in-php 1.0, especially teams exposing update_info.php to the network, plus application security, web platform, and incident response teams responsible for PHP applications and database-backed patient portals.
Technical summary
The vulnerability is a SQL injection in a GET parameter handler. In the affected flow, getAllPatientDetail in update_info.php processes the appointment_no parameter in a way that allows attacker-controlled input to alter database queries. The supplied CVE metadata rates the issue as network exploitable with no privileges or user interaction required, and the weakness mapping includes CWE-89 (SQL Injection) and CWE-74 (Injection).
Defensive priority
Medium, elevated for any internet-facing installation.
Recommended defensive actions
- Identify whether projectworlds hospital-management-system-in-php 1.0 is deployed anywhere in your environment, including legacy or unmanaged web servers.
- Review update_info.php and the getAllPatientDetail path for unsafe query construction involving appointment_no.
- Apply a fix from the vendor or maintainers if one becomes available; if not, consider removing or isolating the affected application.
- Use parameterized queries and strict server-side validation for all database inputs in the affected code path.
- Restrict network exposure to the application and database where possible, and monitor for anomalous requests targeting appointment_no.
- Check logs and database telemetry for suspicious query patterns consistent with SQL injection attempts.
- If the application handles sensitive patient data, prioritize remediation and consider compensating controls until the issue is resolved.
Evidence notes
All technical claims here are limited to the supplied corpus: the CVE description, NVD metadata, and the referenced source links. The source metadata identifies the affected function as getAllPatientDetail in update_info.php and the parameter as appointment_no. NVD metadata also lists CWE-89 and CWE-74 and marks the vuln status as Received. The record’s vendor attribution is low-confidence in the supplied data, so product identification should be treated cautiously even though the description names projectworlds hospital-management-system-in-php 1.0.
Official resources
Published on 2026-05-18. The supplied source metadata indicates the issue was reported to the project early via an issue report and that the project had not responded at publication time. The corpus also includes a public exploit reference,