CVE-2026-37598 - Vulnerability Details

- Arbitrary Code Execution via Unvalidated Settings Update in Patient Appointment Scheduler System

Description

SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.

Published: 2026-04-14

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SourceCodester Patient Appointment Scheduler System version 1.0 contains an RCE vulnerability in the update_settings endpoint located at /scheduler/classes/SystemSettings.php?f=update_settings. The code fails to validate or sanitize input, so a crafted request allows an attacker to execute arbitrary PHP code on the server. This grants the attacker full control over the web application environment, potentially exposing sensitive data, modifying configuration, or disrupting service, thereby compromising confidentiality, integrity, and availability.

Affected Systems

The affected product is SourceCodester Patient Appointment Scheduler System version 1.0. The flaw is confined to the SystemSettings update functionality in the web application; no other products or versions have been identified as vulnerable.

Risk and Exploitability

The CVSS score of 2.7 denotes low severity; however, the vulnerability is a classic RCE that can be triggered by any user who can send a request to the exposed endpoint, with no authentication required. The EPSS score is below 1%, indicating a low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Based on the description the attack vector is a remote web request that supplies malicious input to the vulnerable endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Patient Appointment Scheduler System

80%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy any vendor‑supplied update or patch that addresses the RCE in the update_settings method as soon as it becomes available.
Limit access to the update_settings endpoint by enforcing authentication or restricting access to trusted administrators or specific IP ranges.
Enable application‑level logging and monitor server logs for unusual activity targeting the update_settings request to detect exploitation attempts.
If a patch cannot be applied immediately, disable the update_settings functionality or remove the vulnerable file to block exploitation until a fix is applied.
Keep the underlying platform, PHP runtime, and all third‑party components up to date with security patches to reduce the overall attack surface.

Generated by OpenCVE AI on April 16, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00239.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/RCE-1.md

History

Thu, 16 Apr 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Arbitrary Code Execution via Unvalidated Settings Update in Patient Appointment Scheduler System

Wed, 15 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title	Arbitrary Code Execution via System Settings Update in Patient Appointment Scheduler System v1.0
Weaknesses	CWE-94

Tue, 14 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Arbitrary Code Execution via System Settings Update in Patient Appointment Scheduler System v1.0
Weaknesses		CWE-94

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester patient Appointment Scheduler System
Vendors & Products		Sourcecodester Sourcecodester patient Appointment Scheduler System

Tue, 14 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-89
Metrics		cvssV3_1 `{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
References		https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/RCE-1.md

Subscriptions

Sourcecodester Patient Appointment Scheduler System

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-14T00:00:00.000Z

Updated: 2026-04-14T15:26:27.302Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37598

Vulnrichment

Updated: 2026-04-14T15:25:30.597Z

NVD

Status : Deferred

Published: 2026-04-14T15:16:33.750

Modified: 2026-06-17T10:41:37.207

Link: CVE-2026-37598

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object