{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-56215", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T13:23:01.234Z", "dateReserved": "2025-08-16T00:00:00.000Z", "datePublished": "2025-08-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T13:23:01.234Z"}, "descriptions": [{"lang": "en", "value": "phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-11976/fdd8631102e9985"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-56215.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-26T15:50:10.889841Z", "id": "CVE-2025-56215", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T15:50:37.989Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-56215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-26T15:50:10.889841Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T15:50:30.148Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-11976/fdd8631102e9985"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-56215.md"}], "descriptions": [{"lang": "en", "value": "phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T13:23:01.234Z"}}}, "cveMetadata": {"cveId": "CVE-2025-56215", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:23:01.234Z", "dateReserved": "2025-08-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-08-25T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA36E354-4DBF-4BE4-9BC4-CB00C6771BAF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter."}, {"lang": "es", "value": "phpgurukul Hospital Management System 4.0 es vulnerable a la inyecci\u00f3n SQL en contact.php a trav\u00e9s del par\u00e1metro pagetitle."}], "id": "CVE-2025-56215", "lastModified": "2026-04-06T14:16:21.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-25T15:15:41.880", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://doc.clickup.com/3897127/p/h/3pxt7-11976/fdd8631102e9985"}, {"source": "cve@mitre.org", "url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-56215.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:21:09.220382+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched release of PHPgurukul Hospital Management System 4.0 that validates or parameterizes the pagetitle input", "If an update is unavailable, modify the application code to use prepared statements or stored procedures for all database interactions involving the pagetitle field", "Deploy a web application firewall rule set that detects and blocks typical SQL injection payloads targeting the contact.php endpoint"], "summary": {"action": "Apply Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is PHPgurukul Hospital Management System version 4.0. No other affected versions or other vendors are specified.", "description_and_impact": "A SQL injection vulnerability exists in the contact.php file of PHPgurukul Hospital Management System 4.0, where the pagetitle parameter is not properly sanitized. This weakness allows an unauthenticated attacker to inject and execute arbitrary SQL statements, which can lead to disclosure or modification of sensitive data stored in the database. The vulnerability is marked as medium severity, with a CVSS score of 6.5, indicating that it could potentially compromise confidentiality and integrity of the system's data, but it does not provide a direct path to remote code execution.", "risk_and_exploitability": "Because the condition depends solely on user-controlled input to contact.php, exploitation can be performed remotely over the web by crafting a request that includes malicious content in the pagetitle field. The EPSS score is less than 1%, suggesting that exploit attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the medium CVSS score and the nature of the attack vector indicate that the risk to an organization running this system remains significant, especially if the application is exposed to the Internet. "}}}}, "created": "2025-08-25T21:53:13.487735+00:00", "title": "SQL Injection via pagetitle parameter in Hospital Management System 4.0", "updated": "2026-04-22T22:30:28.827208+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$hospital_management_system"]}