Platform
php
Component
cveproject
Fixed in
1.0.1
1.0.1
CVE-2026-2149 is a cross-site scripting (XSS) vulnerability affecting the Patients Waiting Area Queue Management System developed by SourceCodester/Patrick Mvuma. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts version 1.0 of the system and is triggered by manipulating the patient_id parameter within the /appointments.php file. A fix is pending, and mitigation strategies are recommended.
Successful exploitation of CVE-2026-2149 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including stealing user credentials (session hijacking), redirecting users to phishing sites, or defacing the application's interface. The attacker can potentially gain access to sensitive patient data if the application handles such information. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems that are not promptly patched or protected by mitigating controls.
The vulnerability details were publicly disclosed on 2026-02-08, and a proof-of-concept exploit is already available. This significantly increases the likelihood of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Active campaigns targeting this vulnerability are possible given the ease of exploitation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
While a patch is not yet available, several mitigation strategies can reduce the risk associated with CVE-2026-2149. Implement a Web Application Firewall (WAF) with rules to filter out malicious input targeting the patient_id parameter in /appointments.php. Input validation and sanitization on the server-side are crucial to prevent XSS attacks. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Regularly monitor application logs for suspicious activity related to the /appointments.php endpoint. After implementing WAF rules, verify their effectiveness by attempting to inject a simple XSS payload.
Update to a patched version or apply the necessary security measures to prevent code injection (XSS). Validate and sanitize user inputs, especially the patient_id parameter in appointments.php. Implement content security policy (CSP).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2149 is a cross-site scripting (XSS) vulnerability in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using version 1.0 of the Patients Waiting Area Queue Management System, you are potentially affected by this vulnerability. Assess your environment and implement mitigation strategies.
A patch is not yet available. Implement WAF rules, input validation, and Content Security Policy (CSP) as temporary mitigations.
A proof-of-concept exploit is publicly available, increasing the likelihood of active exploitation. Monitor your systems closely.
Check the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-2149.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.