CVE-2026-3302 - Vulnerability Details

- SourceCodester Doctor Appointment System Sign Up register.php cross site scripting

Description

A weakness has been identified in SourceCodester Doctor Appointment System 1.0. Affected by this issue is some unknown functionality of the file /register.php of the component Sign Up Page. Executing a manipulation of the argument Email can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-02-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A weakness exists in the registration page of SourceCodester Doctor Appointment System 1.0. Manipulating the Email argument when submitting the form causes the server to reflect unsanitized user input back to the browser, enabling cross‑site scripting. The flaw is categorized as CWE‑79 and, based on the description, a secondary code injection issue is also referenced as CWE‑94. An attacker who can supply an injected payload in the Email field can execute arbitrary JavaScript in the context of the victim’s browser session, potentially hijacking cookies or performing other malicious actions.

Affected Systems

SourceCodester: Doctor Appointment System version 1.0 is affected by this vulnerability. No other product versions are listed.

Risk and Exploitability

The CVSS base score for this issue is 5.3, indicating moderate severity. EPSS suggests an extremely low exploitation probability (<1 %). The vulnerability is not listed in CISA’s KEV catalog, and publicly available proof‑of‑concept code demonstrates a remote attack path that simply requires sending a crafted HTTP request to the register.php endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Doctor Appointment System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:remyandrade:doctor_appointment_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Sourcecodester

Doctor Appointment System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑issued patch or upgrade to the latest Doctor Appointment System release once available.
Validate and sanitize the Email field on the server side, ensuring that any scripts or dangerous characters are removed or properly escaped before storage or display.
Deploy a Content‑Security‑Policy header on the application to block inline script execution and mitigate the impact of any reflected XSS.

Generated by OpenCVE AI on April 16, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/rayficom/Proof-of-Concept/blob/main/20260219/README.md
https://vuldb.com/?ctiid.348053
https://vuldb.com/?id.348053
https://vuldb.com/?submit.762427
https://www.sourcecodester.com/

History

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester doctor Appointment System
Vendors & Products		Sourcecodester Sourcecodester doctor Appointment System

Fri, 27 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Remyandrade Remyandrade doctor Appointment System
CPEs		cpe:2.3:a:remyandrade:doctor_appointment_system:1.0:::::::*
Vendors & Products		Remyandrade Remyandrade doctor Appointment System

Fri, 27 Feb 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in SourceCodester Doctor Appointment System 1.0. Affected by this issue is some unknown functionality of the file /register.php of the component Sign Up Page. Executing a manipulation of the argument Email can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title		SourceCodester Doctor Appointment System Sign Up register.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/rayficom/Proof-of-Concept/blob/main/20260219/README.md https://vuldb.com/?ctiid.348053 https://vuldb.com/?id.348053 https://vuldb.com/?submit.762427 https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Remyandrade Doctor Appointment System

Sourcecodester Doctor Appointment System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-27T06:02:09.605Z

Updated: 2026-02-27T18:45:13.668Z

Reserved: 2026-02-26T20:36:31.415Z

Link: CVE-2026-3302

Vulnrichment

Updated: 2026-02-27T18:45:09.619Z

NVD

Status : Analyzed

Published: 2026-02-27T07:17:12.300

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3302

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object