Description
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.
Published: 2026-04-14
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Now
AI Analysis

Impact

The Patient Appointment Scheduler System contains a SQL injection flaw in the view_details.php page, which is part of the administrative interface. The vulnerability stems from an unsanitized SQL query that directly interpolates user input into a statement. Based on the description, it is inferred that an attacker could inject arbitrary SQL that would be executed by the database when the page is requested. The potential impact—such as reading, modifying, or deleting appointment data—is also inferred, as the flaw allows manipulation of the SQL command.

Affected Systems

This flaw exists in SourceCodester Patient Appointment Scheduler System version 1.0. No other vendor or product variations are listed, and the CVE does not specify additional affected releases beyond that version.

Risk and Exploitability

The CVSS base score is 2.7, indicating low severity, and no EPSS score is available. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Attackers would likely need to reach the authenticated administrative interface to exploit the flaw, possibly by using valid credentials or by leveraging other weaknesses to obtain access. Based on the description, the attack vector is inferred to be a crafted HTTP request to the view_details.php endpoint. The overall risk remains low, but the presence of potential data exposure warrants timely remediation.

Generated by OpenCVE AI on April 14, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch when it becomes available.
  • If a patch is unavailable, refactor the view_details.php code to use prepared statements or parameterized queries so that user input is properly sanitized.
  • Limit access to the /scheduler/admin/appointments/view_details.php page to trusted administrators, and consider disabling or removing the endpoint if it is not required for normal operations.

Generated by OpenCVE AI on April 14, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in Admin Appointment View Details of Patient Appointment Scheduler System v1.0

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Admin Appointment View Details of Patient Appointment Scheduler System v1.0

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester patient Appointment Scheduler System
Vendors & Products Sourcecodester
Sourcecodester patient Appointment Scheduler System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.
References

Subscriptions

Sourcecodester Patient Appointment Scheduler System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:25:24.236Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37600

cve-icon Vulnrichment

Updated: 2026-04-14T15:24:43.817Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T15:16:33.863

Modified: 2026-06-17T10:41:37.363

Link: CVE-2026-37600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')