CVE-2025-57254

MEDIUM

Karthikg1908 HMS 1.0 - SQL Injection

Title source: llm

Description

An SQL injection vulnerability in user-login.php and index.php of Karthikg1908 Hospital Management System (HMS) 1.0 allows remote attackers to execute arbitrary SQL queries via the username and password POST parameters. The application fails to properly sanitize input before embedding it into SQL queries, leading to unauthorized access or potential data breaches. This can result in privilege escalation, account takeover, or exposure of sensitive medical data.

References (2)

Core 2

Core References

Various Sources

https://github.com/Karthikg1908/Hospital-Management-System

View Writeup ZIP pw:eip

Various Sources

https://github.com/ischyr/research-and-development/tree/main/CVE-2025-57254

View Writeup ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 18.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Published Sep 30, 2025

Tracked Since Feb 18, 2026