CVE-2021-36351

CRITICAL

Care2x Hospital Information Management System < 2.7 - SQL Injection via pday/pmonth/pyear Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-36351. PoCs published by securityforeveryone.com.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in Care2x Integrated Hospital Info System 2.7 via the 'pday', 'pmonth', and 'pyear' parameters in the 'nursing-station.php' page. It includes example payloads and a sqlmap command for exploitation.

Description

SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php.

Exploits (1)

exploitdb WORKING POC
by securityforeveryone.com · textwebappsphp
https://www.exploit-db.com/exploits/50165

This exploit demonstrates SQL injection vulnerabilities in Care2x Integrated Hospital Info System 2.7 via the 'pday', 'pmonth', and 'pyear' parameters in the 'nursing-station.php' page. It includes example payloads and a sqlmap command for exploitation.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Care2x Integrated Hospital Info System <= 2.7 Alpha
No auth needed
Prerequisites: Access to the target application · SQL injection payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50165

Scores

CVSS v3 9.8
EPSS 0.0185
EPSS Percentile 76.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
care2x/hospital_information_management_system < 2.7
Published Aug 06, 2021
Tracked Since Feb 18, 2026