CVE-2025-70063

Published: Feb 18, 2026Modified: Feb 26, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer.

Affected (1)

Products: Phpgurukul: Hospital Management System

1 product

Hospital Management System

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phpgurukul Hospital Management System	Version 4.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://gist.github.com/Sanka1pp/f43c7eca5048152899e14412523afe80

Source: cve@mitre.org

ExploitThird Party Advisory

https://packetstorm.news/files/id/213711

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

Timeline

No history available yet.