Description
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
Published: 2026-04-14
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Arbitrary code execution has been identified in SourceCodester Patient Appointment Scheduler System version 1.0 via the update_settings function. The flaw allows an attacker to send a crafted request to /scheduler/classes/SystemSettings.php with the parameter f=update_settings and supply arbitrary code, leading to full compromise of the server running the application. This weakness enables an attacker to alter system behavior, exfiltrate data, or install persistent back‑doors.

Affected Systems

Patient Appointment Scheduler System version 1.0 developed by SourceCodester. No other versions or vendor details are listed in the vulnerability report.

Risk and Exploitability

Because the vulnerable endpoint is reachable over the network, an attacker with network access to the host can exploit the flaw without needing local privileges. The absence of EPSS or KEV data does not diminish the inherent severity; remote code execution poses a high risk of complete system takeover. No mitigation is included in the source code, so the vulnerability remains fully exploitable as long as the endpoint is accessible.

Generated by OpenCVE AI on April 14, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain an updated version of Patient Appointment Scheduler System that eliminates the insecure update_settings parameter
  • Restrict access to the /scheduler/classes/SystemSettings.php endpoint so that only authenticated administrators can call it
  • Implement input validation or sanitize all parameters to prevent arbitrary code execution

Generated by OpenCVE AI on April 14, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via System Settings Update in Patient Appointment Scheduler System v1.0
Weaknesses CWE-94

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester patient Appointment Scheduler System
Vendors & Products Sourcecodester
Sourcecodester patient Appointment Scheduler System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
References

Subscriptions

Sourcecodester Patient Appointment Scheduler System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:26:27.302Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37598

cve-icon Vulnrichment

Updated: 2026-04-14T15:25:30.597Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:33.750

Modified: 2026-04-14T16:16:42.237

Link: CVE-2026-37598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:48Z

Weaknesses