Skip to main content

PHP CVE-2025-6406

| EUVD-2025-18889 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-06-21 cna@vuldb.com
PHP SQLi
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH MEDIUM
CVSS changed
Apr 29, 2026 - 01:11 NVD
7.3 (HIGH) 5.5 (MEDIUM)
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18889
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
PoC Detected
Jun 24, 2025 - 19:09 vuln.today
Public exploit code
CVE Published
Jun 21, 2025 - 14:15 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability, which was classified as critical, has been found in Campcodes Online Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/forgot-password.php. The manipulation of the argument fullname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6406 is a critical SQL injection vulnerability in Campcodes Online Hospital Management System version 1.0, specifically in the /hms/forgot-password.php endpoint where the 'fullname' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive hospital patient and administrative data. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical ContextAI

This vulnerability is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - SQL Injection) affecting the forgot-password functionality in Campcodes Online Hospital Management System 1.0. The affected file /hms/forgot-password.php fails to properly sanitize or parameterize user input in the 'fullname' parameter before incorporating it into SQL queries. The application likely constructs dynamic SQL statements using string concatenation rather than prepared statements with parameterized queries. CPE designation: cpe:2.3:a:campcodes:online_hospital_management_system:1.0:*:*:*:*:*:*:*. The root cause is improper input validation/output encoding in a PHP-based web application handling healthcare data.

RemediationAI

primary: Upgrade Campcodes Online Hospital Management System to a patched version beyond 1.0 (vendor patch version not specified in available data—contact Campcodes directly or check their security advisories); immediate_mitigations: ["Apply Web Application Firewall (WAF) rules to block SQL injection patterns in forgot-password.php requests (detect quotes, UNION, SELECT, comment syntax in 'fullname' parameter)", "Implement input validation: whitelist alphanumeric characters and common name delimiters (spaces, hyphens) in 'fullname' field; reject any parameter containing SQL metacharacters", "Force parameterized queries/prepared statements in /hms/forgot-password.php using PHP PDO with placeholders: $stmt = $pdo->prepare('SELECT * FROM users WHERE fullname = ?'); $stmt->execute([$fullname]);", 'Enable SQL error suppression in production to prevent SQL error messages from leaking database structure to attackers', "Restrict database user permissions: ensure the PHP application's database account has minimal privileges (SELECT only on necessary tables, no DROP/ALTER permissions)"]; long_term: Implement secure SDLC practices: code review focusing on CWE-74 patterns, static analysis scanning (SAST) for SQL injection, security testing before release. Migrate from PHP procedural code to a modern framework (Laravel, Symfony) with built-in ORM protections.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-6406 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy