Description
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.
Published: 2026-04-14
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: Data Compromise
Action: Apply Patch
AI Analysis

Impact

SourceCodester Patient Appointment Scheduler System v1.0 contains a SQL Injection vulnerability in the file /scheduler/admin/appointments/manage_appointment.php. An attacker who can send crafted requests to this endpoint may control the SQL queries executed by the application, allowing unauthorized access to appointment and user data, and potentially modifying or deleting records. The core weakness is unchecked user input in database queries, which can lead to leakage or alteration of sensitive medical scheduling information.

Affected Systems

The affected product is the Patient Appointment Scheduler System version 1.0 developed by SourceCodester. No other vendors or versions are mentioned, so this issue is confined to the specific version listed.

Risk and Exploitability

The vulnerability is exploitable over the network via malicious input supplied through the web interface; the attacker does not need privileged local access. While no EPSS score is available and the issue is not listed in CISA’s KEV catalog, the lack of mitigation means that attackers can leverage it relatively easily. The high impact on data confidentiality and integrity, combined with the ease of exploitation, places this vulnerability in a high‑risk category.

Generated by OpenCVE AI on April 14, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that the /scheduler/admin/appointments/manage_appointment.php script is not publicly accessible without authentication
  • Restrict input to allowed characters and lengths before it reaches the database layer
  • Replace inline SQL statements with parameterized queries or stored procedures to eliminate injection vectors
  • Apply or request a patch to SourceCodester that addresses the injection point
  • If a patch is unavailable, deploy a web application firewall rule set to detect and block typical SQL injection payloads

Generated by OpenCVE AI on April 14, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Patient Appointment Scheduler System v1.0

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester patient Appointment Scheduler System
Vendors & Products Sourcecodester
Sourcecodester patient Appointment Scheduler System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.
References

Subscriptions

Sourcecodester Patient Appointment Scheduler System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:25:09.200Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37601

cve-icon Vulnrichment

Updated: 2026-04-14T15:24:38.833Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:33.987

Modified: 2026-04-14T16:16:42.573

Link: CVE-2026-37601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:45Z

Weaknesses