{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-56214", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T13:19:49.311Z", "dateReserved": "2025-08-16T00:00:00.000Z", "datePublished": "2025-08-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T13:19:49.311Z"}, "descriptions": [{"lang": "en", "value": "phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-11996/43458c7f19aa2e0"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-56214.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-26T13:34:10.652050Z", "id": "CVE-2025-56214", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T13:35:10.984Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-56214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-26T13:34:10.652050Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T13:35:05.814Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-11996/43458c7f19aa2e0"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-56214.md"}], "descriptions": [{"lang": "en", "value": "phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T13:19:49.311Z"}}}, "cveMetadata": {"cveId": "CVE-2025-56214", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:19:49.311Z", "dateReserved": "2025-08-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-08-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA36E354-4DBF-4BE4-9BC4-CB00C6771BAF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter."}, {"lang": "es", "value": "phpgurukul Hospital Management System 4.0 es vulnerable a la inyecci\u00f3n SQL en index.php a trav\u00e9s del par\u00e1metro de username."}], "id": "CVE-2025-56214", "lastModified": "2026-04-06T14:16:21.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-25T15:15:41.740", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://doc.clickup.com/3897127/p/h/3pxt7-11996/43458c7f19aa2e0"}, {"source": "cve@mitre.org", "url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-56214.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:20:40.873199+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or upgrade to a version that implements input sanitization for the username parameter", "Replace the vulnerable query with a parameterized statement or use an ORM that handles escaping", "Configure a web\u2011application firewall to detect and block typical SQL injection payloads", "Restrict access to the index.php interface to trusted IP ranges if the functionality is not required externally", "Audit access logs for suspicious SQL activity and investigate any anomalies"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "The affected product is the phpGurukul Hospital Management System, specifically version 4.0. No other products or versions are mentioned in the CVE data.", "description_and_impact": "The Hospital Management System of phpGurukul version 4.0 contains an unfiltered username parameter in index.php that is directly incorporated into an SQL statement. This flaw qualifies as a SQL Injection vulnerability (CWE-89) and allows an attacker to execute arbitrary SQL commands. The consequence can include reading, modifying, or deleting confidential patient data and undermining the integrity of the medical records database.", "risk_and_exploitability": "The CVSS score of 9.8 marks this flaw as critical. The EPSS score is less than 1%, indicating a low likelihood of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. Although the attack vector is inferred to be remote via the web interface, no specific exploit has been documented. The absence of an official patch or workaround places the responsibility on administrators to mitigate the risk themselves."}}}}, "created": "2025-08-25T21:53:12.891734+00:00", "title": "SQL Injection via Username Parameter in phpGurukul Hospital Management System 4.0", "updated": "2026-04-22T22:30:28.826186+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$hospital_management_system"]}