Cyber Resilience

CVE-2026-2179

MediumPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 21.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2179 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul Hospital Management System. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2179 is a SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Hospital Management System version 4.0. It affects an unknown function within the file /admin/manage-users.php, where manipulation of the ID argument enables the injection. The issue was published on 2026-02-08 and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H), such as authenticated administrators. Exploitation requires low complexity and no user interaction, allowing limited impacts: partial disclosure of sensitive information (C:L), minor modification of data (I:L), and slight denial of service (A:L).

A proof-of-concept exploit, including reproduction steps, has been publicly disclosed on GitHub at https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC. Further details are available via VulDB entries at https://vuldb.com/?ctiid.344882 and https://vuldb.com/?id.344882, as well as the vendor site at https://phpgurukul.com/. No specific patch or mitigation guidance is detailed in the provided references.

EU & UK References

Vulnerability details

A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed…

more

and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in a web-based hospital management system directly enables exploitation of a public-facing application (T1190) and unauthorized data access/modification from the backend database (T1213.006).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7176Same product: Phpgurukul Hospital Management System
CVE-2026-2134Same product: Phpgurukul Hospital Management System
CVE-2026-1550Same product: Phpgurukul Hospital Management System
CVE-2025-70064Same product: Phpgurukul Hospital Management System
CVE-2025-3006Same vendor: Phpgurukul
CVE-2025-2656Same vendor: Phpgurukul
CVE-2025-2627Same vendor: Phpgurukul
CVE-2025-1857Same vendor: Phpgurukul
CVE-2025-2681Same vendor: Phpgurukul
CVE-2025-2658Same vendor: Phpgurukul

Affected Assets

phpgurukul
hospital management system
4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the ID input parameter in manage-users.php to block SQL injection payloads.

prevent

Mandates timely remediation of the known SQL injection flaw in the publicly disclosed Hospital Management System code.

prevent

Limits the number of high-privilege accounts that can reach the vulnerable /admin/manage-users.php endpoint, reducing the attack surface.

References