Description
A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the Patient Registration Module’s registration.php, specifically through unsanitized input of the First Name field. Attackers can inject malicious scripts that are stored and rendered as part of the web page, allowing them to perform actions such as stealing session cookies, defacing content, or executing arbitrary JavaScript in the context of the victim’s browser. This flaw falls under the Common Weakness Enumeration of XSS (CWE‑79) and also involves code injection (CWE‑94), indicating that the input is used without proper validation or encoding.

Affected Systems

The affected systems are the Patients Waiting Area Queue Management System developed by Patrick Mvuma and SourceCodester, version 1.0. No other product versions or additional vendor details were provided by the CNA.

Risk and Exploitability

The CVSS score of 5.3 reflects a medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no known large‑scale actively exploited attacks. The likely attack vector is remote, as attackers need only to interact with the registration page through a browser. Successful exploitation requires that a user visits a page that reflects the injected script, and the attacker must craft the malicious input prior to the victim’s visit.

Generated by OpenCVE AI on April 17, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a version that has patched the registration.php input handling or apply the vendor’s official security update if available
  • Conduct a review of all form inputs to ensure they are properly sanitized and escaped before rendering
  • Implement strict Content Security Policy headers to mitigate the impact of any remaining script injections

Generated by OpenCVE AI on April 17, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Pamzey
Pamzey patients Waiting Area Queue Management System
CPEs cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Pamzey
Pamzey patients Waiting Area Queue Management System

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Patrick Mvuma
Patrick Mvuma patients Waiting Area Queue Management System
Sourcecodester
Sourcecodester patients Waiting Area Queue Management System
Vendors & Products Patrick Mvuma
Patrick Mvuma patients Waiting Area Queue Management System
Sourcecodester
Sourcecodester patients Waiting Area Queue Management System

Sun, 08 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Title SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System Patient Registration registration.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pamzey Patients Waiting Area Queue Management System
Patrick Mvuma Patients Waiting Area Queue Management System
Sourcecodester Patients Waiting Area Queue Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:42:20.776Z

Reserved: 2026-02-07T08:23:38.264Z

Link: CVE-2026-2154

cve-icon Vulnrichment

Updated: 2026-02-10T20:00:28.794Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T14:16:25.833

Modified: 2026-02-10T14:49:26.827

Link: CVE-2026-2154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:00:11Z

Weaknesses