Description
A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /queue.php. This manipulation of the argument firstname/lastname causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Published: 2026-02-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the queue.php file of the Patients Waiting Area Queue Management System. Manipulating the firstname and lastname parameters allows an attacker to inject arbitrary client‑side script into the page. The flaw can be exploited remotely because the arguments are supplied through a web request, and an exploit has been publicly published.

Affected Systems

The affected product is the Patients Waiting Area Queue Management System version 1.0 distributed by Patrick Mvuma and SourceCodester. No other versions or configurations are listed in the vulnerability data.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, which indicates medium severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the time of this analysis. The issue is not listed in CISA’s KEV catalog. Exploitation requires only that a user interacts with a malicious firstname or lastname via the queue.php interface, making it a straightforward remote attack if the web application is publicly accessible.

Generated by OpenCVE AI on April 18, 2026 at 10:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch for version 1.0 of the Patients Waiting Area Queue Management System.
  • Validate or encode the firstname and lastname input before it is displayed or executed, ensuring all output is properly escaped for HTML or JavaScript contexts.
  • If a patch is not available, restrict access to queue.php or remove the ability to alter firstname/lastname parameters via URL manipulation until remediation can be applied.

Generated by OpenCVE AI on April 18, 2026 at 10:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Patrick Mvuma
Patrick Mvuma patients Waiting Area Queue Management System
Sourcecodester
Sourcecodester patients Waiting Area Queue Management System
Vendors & Products Patrick Mvuma
Patrick Mvuma patients Waiting Area Queue Management System
Sourcecodester
Sourcecodester patients Waiting Area Queue Management System

Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pamzey
Pamzey patients Waiting Area Queue Management System
CPEs cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Pamzey
Pamzey patients Waiting Area Queue Management System

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /queue.php. This manipulation of the argument firstname/lastname causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Title SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System queue.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pamzey Patients Waiting Area Queue Management System
Patrick Mvuma Patients Waiting Area Queue Management System
Sourcecodester Patients Waiting Area Queue Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T16:34:51.471Z

Reserved: 2026-02-24T22:02:42.196Z

Link: CVE-2026-3171

cve-icon Vulnrichment

Updated: 2026-02-25T16:34:45.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T09:16:15.740

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses