Skip to main content

Hospital Bed Management System CVE-2026-16014

| EUVDEUVD-2026-45167 MEDIUM
SQL Injection (CWE-89)
2026-07-17 VulDB GHSA-cq83-c7ww-m93g
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Pre-authentication network login-form SQLi with no user interaction; limited C/I/A impact consistent with partial database access, no scope change to other systems.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 17, 2026 - 13:31 vuln.today
CVSS changed
Jul 17, 2026 - 13:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
CVE Published
Jul 17, 2026 - 12:45 cve.org
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was found in code-projects Hospital Bed Management System 1.0. This affects an unknown part of the component Login Form. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

AnalysisAI

SQL injection in the Login Form of code-projects Hospital Bed Management System 1.0 exposes unauthenticated remote attackers to database manipulation via the Username parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no user interaction, and the E:P modifier reflects a publicly available proof-of-concept on Gitee. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed login page via web scan
Exploit
Submit crafted SQL payload in Username field
Execution
Bypass authentication or extract database schema
Impact
Retrieve credentials or patient/bed records from database

Vulnerability AssessmentAI

Exploitation No special conditions are required - the Login Form is a pre-authentication endpoint reachable by any remote attacker with HTTP/HTTPS access to the application (confirmed by PR:N/UI:N in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L) presents a worst-case accessibility profile: remote, unauthenticated, low complexity, no prerequisites, no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request to the Login Form endpoint, injecting a SQL payload (e.g., a classic OR-based bypass or UNION-based extraction string) into the Username field, either bypassing authentication entirely or dumping database contents including credentials and patient records. A public POC is available on Gitee (https://gitee.com/Ajkss/cve/issues/IJU5GU), meaning script-level exploitation is accessible to low-skill attackers. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-16014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy