Platform
php
Component
patients-waiting-area-queue-management-system
Fixed in
1.0.1
1.0.1
CVE-2026-1146 describes a cross-site scripting (XSS) vulnerability discovered in the Patients Waiting Area Queue Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the firstName/lastName parameters within the /php/apiregisterpatient.php file. The vulnerability is remotely exploitable and has been publicly disclosed, potentially increasing the risk of exploitation.
Successful exploitation of CVE-2026-1146 allows an attacker to inject arbitrary JavaScript code into the Patients Waiting Area Queue Management System. This can lead to various malicious outcomes, including session hijacking, defacement of the application's interface, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data, such as patient information, if it's displayed or processed within the application. While the CVSS score is LOW, the ease of exploitation and potential for user interaction make it a concerning risk, especially in environments where the application handles sensitive data or is integrated with other systems.
CVE-2026-1146 was publicly disclosed on 2026-01-19. A public proof-of-concept (PoC) is likely to be available given the public disclosure. The vulnerability's LOW CVSS score suggests a relatively simple exploitation path, but the public availability of the vulnerability increases the likelihood of exploitation attempts. No KEV listing or confirmed exploitation campaigns are currently known.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1146 is to upgrade to a patched version of the Patients Waiting Area Queue Management System as soon as it becomes available. Until a patch is released, consider implementing input validation and sanitization on the firstName and lastName parameters within the /php/apiregisterpatient.php file. This can help prevent malicious code from being injected. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update your WAF rules to ensure they are effective against known XSS patterns.
Update to a patched version of the patient queue management system. Contact the vendor for a corrected version or implement input sanitization measures for the firstName and lastName fields in the /php/api_register_patient.php file to prevent XSS code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1146 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, affecting the /php/apiregisterpatient.php file. Attackers can inject malicious scripts via manipulated firstName/lastName arguments.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this XSS vulnerability. Upgrade to a patched version as soon as available.
The recommended fix is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Until a patch is released, implement input validation and sanitization on the firstName and lastName parameters.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation attempts.
Refer to the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-1146.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.