Description
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
Published: 2026-04-14
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Assess Impact
AI Analysis

Impact

The SourceCodester Patient Appointment Scheduler System version 1.0 has a vulnerability that permits SQL injection through the /scheduler/admin/user/manage_user.php endpoint. An attacker could manipulate input parameters to execute arbitrary SQL commands, potentially allowing read, modification, or deletion of sensitive data stored in the system’s database.

Affected Systems

This flaw affects the Patient Appointment Scheduler System released by SourceCodester, specifically version 1.0. No other product or vendor variants are listed.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and no exploit probability score is available. The vulnerability is not present in the CISA KEV catalog. Attackers who can reach the exposed admin endpoint—likely over the network—could exploit the injection to access or alter database contents. No publicly disclosed exploits have been reported.

Generated by OpenCVE AI on April 14, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that your system is running the vulnerable 1.0 release of the Patient Appointment Scheduler System
  • Check the vendor’s website or repository for an updated version that removes the injection flaw
  • If no update is available, modify the /scheduler/admin/user/manage_user.php code to use prepared statements or parameterized queries
  • Restrict access to the admin panel through network controls or authentication to limit exposure
  • Audit the application for other injection points and apply input validation throughout

Generated by OpenCVE AI on April 14, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Patient Appointment Scheduler System v1.0

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Patient Appointment Scheduler System v1.0

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester patient Appointment Scheduler System
Vendors & Products Sourcecodester
Sourcecodester patient Appointment Scheduler System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
References

Subscriptions

Sourcecodester Patient Appointment Scheduler System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:24:23.662Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37602

cve-icon Vulnrichment

Updated: 2026-04-14T15:24:12.448Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T15:16:34.110

Modified: 2026-06-17T10:41:37.673

Link: CVE-2026-37602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')