CVE-2026-1146 - Vulnerability Details

- SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting

Description

A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

Published: 2026-01-19

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the api_register_patient.php script allows an attacker to inject arbitrary HTML or JavaScript through the firstName and lastName parameters. This leads to cross‑site scripting that can be exploited remotely, allowing the attacker to deface the application, steal session cookies, or perform malicious actions in the context of legitimate users.

Affected Systems

The vulnerability affects Patrick Mvuma’s and SourceCodester’s Patients Waiting Area Queue Management System, version 1.0.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is below 1 %, suggesting low current exploitation probability, and the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires only a crafted request to api_register_patient.php, which can be performed from a remote host. The absence of authentication checks on the input vectors allows the XSS payload to be delivered to any victim who accesses the application after a new patient registration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Patients Waiting Area Queue Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Patrick Mvuma

Patients Waiting Area Queue Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Sourcecodester	Patients Waiting Area Queue Management System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑supplied patch or upgrade to a version that includes input sanitization for the firstName and lastName fields
Validate and encode all user‑supplied data before rendering it in HTML output
Deploy a Content Security Policy that blocks inline scripts and restricts executable content

Generated by OpenCVE AI on April 18, 2026 at 05:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.341739
https://vuldb.com/?id.341739
https://vuldb.com/?submit.735543

History

Fri, 30 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pamzey Pamzey patients Waiting Area Queue Management System
CPEs		cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:::::::*
Vendors & Products		Pamzey Pamzey patients Waiting Area Queue Management System

Tue, 20 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester patients Waiting Area Queue Management System
Vendors & Products		Sourcecodester Sourcecodester patients Waiting Area Queue Management System

Mon, 19 Jan 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title		SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://vuldb.com/?ctiid.341739 https://vuldb.com/?id.341739 https://vuldb.com/?submit.735543
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Pamzey Patients Waiting Area Queue Management System

Sourcecodester Patients Waiting Area Queue Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-19T08:32:05.987Z

Updated: 2026-02-23T08:44:08.848Z

Reserved: 2026-01-18T13:50:12.547Z

Link: CVE-2026-1146

Vulnrichment

Updated: 2026-01-20T15:14:25.335Z

NVD

Status : Analyzed

Published: 2026-01-19T09:16:02.803

Modified: 2026-01-30T18:15:05.000

Link: CVE-2026-1146

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object