Description
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
Published: 2026-04-14
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: SQL injection resulting in unauthorized database manipulation
Action: Apply Patch
AI Analysis

Impact

The Patient Appointment Scheduler System version 1.0 contains a flaw in the manage_user.php script that concatenates user input directly into a SQL query without proper escaping or parameterization. This missing input validation allows attackers to inject arbitrary SQL statements, potentially reading, modifying, or deleting patient and appointment records. The impact on confidentiality and integrity is significant, as sensitive health information is stored in the database.

Affected Systems

The vulnerability exists in the SourceCodester Patient Appointment Scheduler System, specifically in the /scheduler/admin/user/manage_user.php endpoint. All installations of version 1.0 that expose this file are affected. No specific CPE strings are listed, and no vendor-specified product hierarchy is available in the data.

Risk and Exploitability

No public exploit has been documented and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is not available, but the lack of input validation suggests the vulnerability is highly exploitable, likely via a standard HTTP request to the offending endpoint. Because the attacker can manipulate SQL commands, the security risk is high regardless of current exploitation statistics. The attack vector is inferred to be remote over HTTP/S, and the threat model assumes an attacker with network access to the web application.

Generated by OpenCVE AI on April 14, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or upgrade to a newer version of the scheduler system
  • Refactor the manage_user.php code to use prepared statements with bound parameters
  • Sanitize and validate all incoming data before building SQL queries
  • Restrict access to the /scheduler/admin/user/manage_user.php endpoint to authenticated administrators with strong credentials

Generated by OpenCVE AI on April 14, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Patient Appointment Scheduler System v1.0

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester patient Appointment Scheduler System
Vendors & Products Sourcecodester
Sourcecodester patient Appointment Scheduler System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
References

Subscriptions

Sourcecodester Patient Appointment Scheduler System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:24:23.662Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37602

cve-icon Vulnrichment

Updated: 2026-04-14T15:24:12.448Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:34.110

Modified: 2026-04-14T16:16:42.770

Link: CVE-2026-37602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:44Z

Weaknesses