A Hospital Management System (HMS) is a computerized system that helps manage healthcare-related information and helps healthcare providers do their jobs effectively. Hospital Management System V4.0 and prior versions suffer from a SQL injection vulnerability that stems from the application’s lack of validation of externally entered SQL statements. An attacker can exploit this vulnerability by sending a crafted SQL statement to the Conatctus Queries endpoint using an unread query field, which would allow an attacker to view, add, modify, or delete information in the back-end database.