CVE-2026-9603 - Vulnerability Details

- SourceCodester eDoc Doctor Appointment System delete-session.php authorization

Description

A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Published: 2026-05-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the delete-session.php script of the SourceCodester eDoc Doctor Appointment System allows attackers to manipulate the session identifier parameter, bypassing the built‑in authorization checks. This missing authorization can be leveraged to remove or delete any user session, effectively granting the attacker control over targeted accounts or enabling denial of service by terminating sessions. The vulnerability is cataloged with CWE-862 and CWE-863, indicating that the system fails to enforce proper authorization and access control.

Affected Systems

The affected product is SourceCodester eDoc Doctor Appointment System version 1.0. Any deployment of this version that exposes the /admin/delete-session.php endpoint is susceptible, regardless of the underlying operating system or web server used.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, representing moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the gap remotely by sending crafted requests that alter the session ID parameter. Successful exploitation would grant unauthorized access to session deletion capabilities, potentially leading to privilege escalation or denial of service in affected installations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

eDoc Doctor Appointment System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Edoc Doctor Appointment System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and install the latest version of SourceCodester eDoc Doctor Appointment System from the vendor, ensuring that it includes the fix for the deletion‑session authorization flaw.
Restrict access to the /admin/delete-session.php endpoint by enforcing role‑based permissions or removing the endpoint from public accessibility if it is not required.
Implement server‑side validation to confirm that the session ID provided in requests matches the authenticated user’s session, thereby preventing manipulation of session identifiers.

Generated by OpenCVE AI on May 26, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00325.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/Advisory.md
https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/poc.sh
https://vuldb.com/submit/817935
https://vuldb.com/vuln/365676
https://vuldb.com/vuln/365676/cti
https://www.sourcecodester.com/

History

Wed, 27 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title		SourceCodester eDoc Doctor Appointment System delete-session.php authorization
First Time appeared		Sourcecodester Sourcecodester edoc Doctor Appointment System
Weaknesses		CWE-862 CWE-863
CPEs		cpe:2.3:a:sourcecodester:edoc_doctor_appointment_system::::::::
Vendors & Products		Sourcecodester Sourcecodester edoc Doctor Appointment System
References		https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/Advisory.md https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/poc.sh https://vuldb.com/submit/817935 https://vuldb.com/vuln/365676 https://vuldb.com/vuln/365676/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Edoc Doctor Appointment System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-26T22:00:14.230Z

Updated: 2026-05-27T12:55:07.587Z

Reserved: 2026-05-26T16:02:52.829Z

Link: CVE-2026-9603

Vulnrichment

Updated: 2026-05-27T12:54:50.954Z

NVD

Status : Deferred

Published: 2026-05-26T22:16:44.467

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-9603

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T10:08:08Z

Weaknesses

CWE-862
Missing Authorization
CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object