A vulnerability classified as critical has been found in itsourcecode Hospital Management System 1.0 . Affected is an unknown function of the file /appointmentapproval.php of the component Appointment Handler . This manipulation of the argument editid causes sql injection. This vulnerability is tracked as CVE-2026-13520 . The attack is possible to be carried out remotely. Moreover, an exploit is present.