CVE-2026-5179 - Vulnerability Details

- SourceCodester Simple Doctors Appointment System login.php sql injection

Description

A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

Published: 2026-03-31

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists in the Username field of /admin/login.php. An attacker can inject arbitrary SQL that is executed by the backend without proper sanitization, allowing bypass of authentication and unauthorized read, alteration or deletion of appointment records and other confidential data stored in the database.

Affected Systems

SourceCodester Simple Doctors Appointment System version 1.0 runs on web servers that expose the /admin/login.php endpoint to external clients. The vulnerability affects that specific module of the application.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate risk level. The EPSS score is not available and it is not listed in the CISA KEV, suggesting no widespread exploitation has been confirmed yet. However, the publicly available exploit code implies that automated scanners could discover and target this flaw from any network, and attackers would only need to send crafted HTTP requests to trigger the injection. Based on the description that the exploit is public, it is inferred that automated scanners could detect and exploit this flaw from any network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Simple Doctors Appointment System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Doctor Appointment System

91%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for an official patch from SourceCodester and apply it immediately. If no patch is available, modify the login logic to use prepared statements or parameterized queries for all user input before forming SQL statements. Restrict direct access to /admin/login.php by implementing IP whitelisting or requiring VPN access. Reduce the privileges of the database user used by the application to limit damage in case of injection. Continuously monitor authentication logs for repeated SQL syntax errors or unusual request patterns that may indicate attempted exploitation.

Generated by OpenCVE AI on March 31, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/dyh1213-wq/cve/issues/3
https://vuldb.com/submit/780353
https://vuldb.com/vuln/354247
https://vuldb.com/vuln/354247/cti
https://www.sourcecodester.com/

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester doctor Appointment System
Vendors & Products		Sourcecodester Sourcecodester doctor Appointment System

Tue, 31 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Title		SourceCodester Simple Doctors Appointment System login.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/dyh1213-wq/cve/issues/3 https://vuldb.com/submit/780353 https://vuldb.com/vuln/354247 https://vuldb.com/vuln/354247/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Doctor Appointment System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-31T04:00:18.639Z

Updated: 2026-03-31T13:49:31.730Z

Reserved: 2026-03-30T18:58:56.794Z

Link: CVE-2026-5179

Vulnrichment

Updated: 2026-03-31T13:49:27.299Z

NVD

Status : Deferred

Published: 2026-03-31T05:16:11.920

Modified: 2026-04-24T18:11:16.583

Link: CVE-2026-5179

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:10:33Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object