Platform
php
Component
patients-waiting-area-queue-management-system
Fixed in
1.0.1
1.0.1
CVE-2026-1147 describes a cross-site scripting (XSS) vulnerability discovered in the Patients Waiting Area Queue Management System, specifically affecting version 1.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /php/apipatientschedule.php file, and exploitation can be initiated remotely. A public proof-of-concept is available, highlighting the potential for immediate exploitation.
The primary impact of CVE-2026-1147 is the potential for cross-site scripting (XSS) attacks. An attacker can inject malicious JavaScript code into the application, which will then be executed in the context of a user's browser. This can lead to various consequences, including session hijacking, redirection to malicious websites, and the theft of sensitive information such as login credentials or personal data. Given the public availability of a proof-of-concept, the risk of exploitation is elevated, particularly for systems that are not promptly patched. The attack vector is remote, meaning an attacker does not need to be on the same network as the vulnerable system.
CVE-2026-1147 has been publicly disclosed and a proof-of-concept is available, indicating a moderate risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively simple exploitation process and the potential for limited impact, although the public PoC significantly increases the likelihood of exploitation. Active campaigns targeting this specific vulnerability are not currently confirmed, but the public availability of the exploit makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-1147 is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Since a fixed version is not specified, immediate action is crucial. As an interim measure, implement a Web Application Firewall (WAF) rule to filter or sanitize user input to the 'Reason' parameter in /php/apipatientschedule.php. Carefully review and validate all user-supplied data before rendering it in the application. Consider implementing input validation and output encoding techniques to prevent XSS attacks. After implementing mitigation steps, thoroughly test the application to ensure that the vulnerability has been effectively addressed.
Update to a patched version of the patient queue management system. Contact the vendor for a corrected version or apply necessary security measures to prevent XSS attacks, such as user input sanitization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1147 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts via the 'Reason' parameter.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade to a patched version of the Patients Waiting Area Queue Management System. Until a patch is available, implement WAF rules and input validation to mitigate the risk.
While active campaigns are not confirmed, a public proof-of-concept exists, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security forums for updates and advisories regarding CVE-2026-1147.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.