CVE-2019-25728 HIGH

CVE-2019-25728: Care2x 2.7 Hospital Information System SQL Injection via ck_config

Vendor Care2X
Product Care2x
Weakness CWE-89 · SQLi
Published June 4, 2026
Last update June 4, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject malicious SQL through the ck_config cookie in multiple endpoints including login.php, indexframe.php, and various module files to extract sensitive database information without authentication.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated