CVE-2019-25728

HIGH 8.2

Care2x 2.7 Hospital Information System SQL Injection via ck_config

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject malicious SQL through the ck_config cookie in multiple endpoints including login.php, indexframe.php, and various module files to extract sensitive database information without authentication.

CWE	CWE-89
Vendor	care2x
Product	care2x
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for care2x care2x

Be the first to know when new high vulnerabilities affecting care2x care2x are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

care2x / Care2x

2.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/46268 vulncheck.com: https://www.vulncheck.com/advisories/care2x-hospital-information-system-sql-injection-via-ck-config

Credits

Carlos Avila