Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
PHPGurukul Hospital Management System v4.0 Exposes Patient Medical Records
CVE-2025-70063
Summary
The 'Medical History' module in PHPGurukul Hospital Management System v4.0 allows unauthorized access to other patients' medical records. This is a concern because it means that users can see sensitive information that doesn't belong to them. To mitigate this risk, update to a fixed version or apply security patches as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| phpgurukul | hospital_management_system | 4.0 | – |
Original title
The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'vie...
Original description
The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer.
nvd CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
- https://gist.github.com/Sanka1pp/f43c7eca5048152899e14412523afe80 Exploit Third Party Advisory
- https://packetstorm.news/files/id/213711 Exploit Mitigation Third Party Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026