CVE-2026-7632: SQL Injection in Online Hospital Management System

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-74cwe-89
CVE-2026-7632: SQL Injection in Online Hospital Management System

The National Vulnerability Database has identified CVE-2026-7632, a high-severity SQL injection vulnerability in code-projects Online Hospital Management System 1.0. This flaw, with a CVSS v3.1 score of 7.3 (HIGH), resides in the /viewappointment.php file and is triggered by manipulating the delid argument. The vulnerability is remotely exploitable, and exploit details have been publicly disclosed, increasing the immediate risk.

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The impact, according to the National Vulnerability Database, includes potential compromise of confidentiality, integrity, and availability of patient data and system operations. Such a compromise could lead to data exfiltration, unauthorized data modification, or denial of service.

Organizations utilizing code-projects Online Hospital Management System 1.0 face a critical risk. Given the public disclosure of exploit details, attackers now have a clear roadmap. Defenders must prioritize patching or isolating affected systems immediately to prevent data breaches and maintain patient data integrity.

What This Means For You

  • If your organization uses code-projects Online Hospital Management System 1.0, you are directly exposed to CVE-2026-7632. This is a critical SQL injection vulnerability with publicly available exploits. Prioritize patching or, if a patch isn't available, isolate the system immediately and review logs for any suspicious database activity. Assume compromise until proven otherwise.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Persistence T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7632: SQL Injection in Online Hospital Management System viewappointment.php

Sigma YAML — free preview 
title: CVE-2026-7632: SQL Injection in Online Hospital Management System viewappointment.php
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects exploitation attempts against CVE-2026-7632 in the Online Hospital Management System. This rule specifically looks for requests to '/viewappointment.php' containing the 'delid' parameter with SQL injection patterns like ' OR ' and '= ' LIMIT '. This indicates an attempt to manipulate the 'delid' argument for SQL injection.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7632/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/viewappointment.php'
      cs-uri-query|contains:
          - 'delid='
      cs-uri-query|contains:
          - ' OR '
      cs-uri-query|contains:
          - '= '
      cs-uri-query|contains:
          - ' LIMIT '
      cs-method|exact:
          - 'GET'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7632 SQLi code-projects Online Hospital Management System 1.0
CVE-2026-7632 SQLi Vulnerable file: /viewappointment.php
CVE-2026-7632 SQLi Vulnerable parameter: delid

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7631 — Code-Projects Online Hospital Management System Vulnerability

CVE-2026-7631 — A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler....

vulnerabilityCVEmedium-severitycwe-266cwe-285
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7630: InnoShop Improper Authentication Exposes Installation Endpoint

CVE-2026-7630 — A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7629 — Kleneway Awesome-Cursor-Mpc-Server Command Injection

CVE-2026-7629 — A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma