CVE-2026-2179
Published: 08 February 2026
Summary
CVE-2026-2179 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul Hospital Management System. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Validates query inputs to prevent SQL syntax or command manipulation.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a web-based hospital management system directly enables exploitation of a public-facing application (T1190) and unauthorized data access/modification from the backend database (T1213.006).
NVD Description
A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed…
more
and may be utilized.
Deeper analysisAI
CVE-2026-2179 is a SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Hospital Management System version 4.0. It affects an unknown function within the file /admin/manage-users.php, where manipulation of the ID argument enables the injection. The issue was published on 2026-02-08 and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H), such as authenticated administrators. Exploitation requires low complexity and no user interaction, allowing limited impacts: partial disclosure of sensitive information (C:L), minor modification of data (I:L), and slight denial of service (A:L).
A proof-of-concept exploit, including reproduction steps, has been publicly disclosed on GitHub at https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC. Further details are available via VulDB entries at https://vuldb.com/?ctiid.344882 and https://vuldb.com/?id.344882, as well as the vendor site at https://phpgurukul.com/. No specific patch or mitigation guidance is detailed in the provided references.
Details
- CWE(s)