CVE-2026-4473 - Vulnerability Details

- itsourcecode Online Doctor Appointment System appointment_action.php sql injection

Description

A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.

Published: 2026-03-20

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A SQL injection flaw exists in the /admin/appointment_action.php module of the Online Doctor Appointment System. By manipulating the appointment_id parameter, an attacker can inject arbitrary SQL commands that the database will execute. This can expose, alter, or delete sensitive appointment and patient data. The weakness is categorized as CWE‑74 (Improper Handling of Input) and CWE‑89 (Improper Neutralization of Special Elements used in an SQL Command).

Affected Systems

The vulnerability affects the Online Doctor Appointment System developed by itsourcecode, specifically version 1.0. No other variants or releases are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, implying it has not been observed in known, actively exploited attacks. Because the attack can be launched remotely through the public web interface, an attacker who discovers the flaw can exploit it without needing privileged credentials or local access. The available public exploit code further raises the potential for automated attacks. Organizations running the affected version should treat this as a medium‑risk threat that could enable data leakage or tampering if left unmitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Online Doctor Appointment System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:unguardable:online_doctor_appointment_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

Online Doctor Appointment System

100%

Version	Status	Scheme	Platform
`[1.0,1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest patch or upgrade from itsourcecode to a newer version that eliminates the SQL injection issue.
If an update is not feasible, restrict remote access to the /admin/appointment_action.php page to trusted administrators only and enforce strict firewall rules.
Sanitize and validate the appointment_id input and refactor the database queries to use prepared statements or stored procedures.
Monitor web application logs for suspicious SQL activity and database access patterns.
Review vendor advisories and maintain an inventory of the system to ensure timely patch deployment.

Generated by OpenCVE AI on March 23, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/sjkdhl/public/issues/2
https://itsourcecode.com/
https://vuldb.com/?ctiid.351763
https://vuldb.com/?id.351763
https://vuldb.com/?submit.772883

History

Mon, 23 Mar 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Unguardable Unguardable online Doctor Appointment System
CPEs		cpe:2.3:a:unguardable:online_doctor_appointment_system:1.0:::::::*
Vendors & Products		Unguardable Unguardable online Doctor Appointment System

Fri, 20 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode online Doctor Appointment System
Vendors & Products		Itsourcecode Itsourcecode online Doctor Appointment System

Fri, 20 Mar 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
Title		itsourcecode Online Doctor Appointment System appointment_action.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/sjkdhl/public/issues/2 https://itsourcecode.com/ https://vuldb.com/?ctiid.351763 https://vuldb.com/?id.351763 https://vuldb.com/?submit.772883
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode Online Doctor Appointment System

Unguardable Online Doctor Appointment System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-20T05:32:12.517Z

Updated: 2026-03-20T15:55:40.784Z

Reserved: 2026-03-19T20:36:23.894Z

Link: CVE-2026-4473

Vulnrichment

Updated: 2026-03-20T15:55:33.685Z

NVD

Status : Analyzed

Published: 2026-03-20T06:16:12.997

Modified: 2026-03-23T12:44:12.967

Link: CVE-2026-4473

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:30:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object