CVE-2025-70063

MEDIUM

PHPGurukul Hospital Management System 4.0 - Authorization Bypass via Medical History ViewID Parameter

Title source: llm

Description

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer.

References (2)

Core 2

Core References

Various Sources

https://gist.github.com/Sanka1pp/f43c7eca5048152899e14412523afe80

Various Sources

https://packetstorm.news/files/id/213711

Scores

CVSS v3 6.5

EPSS 0.0034

EPSS Percentile 25.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

phpgurukul/hospital_management_system 4.0

Published Feb 18, 2026

Tracked Since Feb 18, 2026