Description
A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A flaw in the '/appointments.php' page of Patients Waiting Area Queue Management System 1.0 allows an attacker to inject arbitrary scripts through the 'patient_id' parameter. The lack of proper input sanitization lets malicious code execute in the victim’s browser, enabling session hijacking, defacement, or redirection to phishing sites. The attack can be launched remotely by sending a crafted HTTP request to the publicly accessible PHP file.

Affected Systems

This vulnerability impacts Version 1.0 of the Patients Waiting Area Queue Management System developed by Patrick Mvuma and SourceCodester. Administrators should verify that their installations run this version and are exposed to the public web.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1 % shows a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker would need network access to the web server and would use the publicly exposed '/appointments.php' endpoint, manipulating the 'patient_id' value with malicious script payloads.

Generated by OpenCVE AI on April 18, 2026 at 13:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or apply the vendor patch that fixes the XSS issue in the appointments.php handler.
  • Validate the patient_id parameter on the server side to allow only numeric values, rejecting any input that contains script tags or characters.
  • Encode or escape any data derived from patient_id before rendering it in the HTTP response to neutralize injected scripts.

Generated by OpenCVE AI on April 18, 2026 at 13:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Pamzey
Pamzey patients Waiting Area Queue Management System
CPEs cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Pamzey
Pamzey patients Waiting Area Queue Management System

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Patrick Mvuma
Patrick Mvuma patients Waiting Area Queue Management System
Sourcecodester
Sourcecodester patients Waiting Area Queue Management System
Vendors & Products Patrick Mvuma
Patrick Mvuma patients Waiting Area Queue Management System
Sourcecodester
Sourcecodester patients Waiting Area Queue Management System

Sun, 08 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used.
Title SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System appointments.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pamzey Patients Waiting Area Queue Management System
Patrick Mvuma Patients Waiting Area Queue Management System
Sourcecodester Patients Waiting Area Queue Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:41:08.872Z

Reserved: 2026-02-07T07:54:03.355Z

Link: CVE-2026-2149

cve-icon Vulnrichment

Updated: 2026-02-10T21:19:48.925Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T11:15:53.453

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses