The vulnerability is a cross‑site request forgery (CWE‑352) that allows a remote attacker to craft a request to the Patients Waiting Area Queue Management System to execute privileged actions without the victim's consent. The description states that executing a manipulation can lead to cross‑site request forgery and the attack can be launched remotely. This flaw risks unauthorized modification or retrieval of sensitive data, potentially compromising confidentiality, integrity, and availability of the queue system.

Affected systems include the Patients Waiting Area Queue Management System released by Patrick Mvuma and SourceCodester, version 1.0. The Common Platform Enumeration indicates that the flaw resides in the 1.0 release of the application. No other versions or sub‑components are explicitly mentioned as affected.

The CVSS score is 5.3, indicating a moderate risk. EPSS is below 1 %, suggesting a very low yet non‑zero probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector is remote and the flaw involves cross‑site request forgery, an attacker would need to persuade a legitimate user or a service to submit a forged request, often by embedding malicious content in a link or submitting a form. The low EPSS score indicates that exploitation is unlikely at the moment, but the presence of CSRF makes the system vulnerable to a common and well‑known technique.