CVE-2026-12207

A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of the argument ID...

EUVD-2026-36681

A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of the argument ID...

PT-2026-49167

A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file appmodulesmedicalportrestcontrollersPatientController.php of the component HTTP REST API. The manipulation of the argument ID results ...

CVE-2026-11512 itsourcecode Hospital Management System billing.php cross site scripting

A security vulnerability has been detected in itsourcecode Hospital Management System 1.0. This issue affects some unknown processing of the file /billing.php. The manipulation of the argument patientid leads to cross site scripting. The attack can be initiated remotely. The exploit has been...

CVE-2026-11501

A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /classes/Master.php?f=savepatient. The manipulation of the argument ID results in sql injection. It is possible to launch the attack...

PT-2026-47279

A security vulnerability has been detected in itsourcecode Hospital Management System 1.0. This issue affects some unknown processing of the file /billing.php. The manipulation of the argument patientid leads to cross site scripting. The attack can be initiated remotely. The exploit has been...

EUVD-2026-31310

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientw.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers ca...

CVE-2026-48227

Open ISES Tickets before 3.44.2 is affected by a reflected XSS in patient.php, where an unsanitized id and ticket_id in GET parameters can inject JavaScript into the HTML form action URL. The vulnerability allows authenticated users to craft requests that execute in a victim’s browser when the re...

CVE-2026-25745

OpenEMR (versions up to 8.0.0) is affected by CVE-2026-25745. The issue arises in the message/note update endpoint (e.g., PUT/POST), which updates by message/note ID without verifying that the message belongs to the current patient or that the user is permitted to edit that patient’s notes. An au...

EUVD-2026-11525

A vulnerability has been found in itsourcecode Online Doctor Appointment System 1.0. This impacts an unknown function of the file /admin/patientaction.php. Such manipulation of the argument patientid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to th...

EUVD-2026-10227

A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. This impacts an unknown function of the file /checkin.php. This manipulation of the argument patientid causes improper authorization. It is possible to initiate the attack remotely. The exploit has...

CVE-2026-25147 OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in portal/portalpayment.php, the patient id used for the page is taken from the request $pid = $REQUEST'pid' ?? $pid and $pid = $REQUEST'hiddenpatientcode' ?? null 0 ?...

CVE-2026-25929

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s patientpicture context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to access...

CVE-2026-2150

A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patientid causes cross site scripting. The attack can be initiated remotely. Th...

CVE-2026-2150

CVE-2026-2150 affects SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System v1.0. The vulnerability is a cross-site scripting flaw in the /checkin.php file where manipulating the patient_id argument enables XSS. The issue can be triggered remotely and an exploit has been publ...

CVE-2026-2149

A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patientid results in cross site scripting. It is possible to...

CVE-2026-2149

A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patientid results in cross site scripting. It is possible to...

SourceCodester Patients Waiting Area Queue Management System 代码注入漏洞

The SourceCodester Patients Waiting Area Queue Management System is an open-source system developed by SourceCodester for managing patient waiting queues. Version 1.0 of the SourceCodester Patients Waiting Area Queue Management System contains a code injection vulnerability. This vulnerability...

CVE-2025-30058

In the PatientService.pl service, the "getPatientIdentifier" function is vulnerable to SQL injection through the "pesel" parameter...

CGM CLININET SQL Injection Vulnerability

CGM CLININET is a hospital information management system from CGM Germany. CGM CLININET suffers from an SQL injection vulnerability that originates from the lack of validation of the pesel parameter of the getPatientIdentifier function against externally entered SQL statements. An attacker can...