Platform
php
Component
cveproject
Fixed in
1.0.1
1.0.1
CVE-2026-2150 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester's Patients Waiting Area Queue Management System, versions 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the /checkin.php file and is triggered by manipulating the patient_id argument. A public exploit is already available.
Successful exploitation of CVE-2026-2150 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed on the application. The impact is particularly severe if the application handles sensitive patient data, as an attacker could potentially access or modify this information. The availability of a public exploit significantly increases the risk of widespread exploitation.
CVE-2026-2150 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was published on 2026-02-08. The availability of a public exploit suggests that attackers are actively seeking to exploit this vulnerability. No KEV listing or EPSS score is currently available.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2150 is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Since no fixed version is specified, consider reverting to a previous known-good version if upgrading causes instability. As a temporary workaround, implement strict input validation and sanitization on the patient_id parameter within the /checkin.php file. Web application firewalls (WAFs) can be configured to filter out malicious input patterns associated with XSS attacks. Regularly review and update security rules to address emerging threats.
Update the Patients Waiting Area Queue Management System to a version later than 1.0, if available, or apply a patch that correctly filters and escapes the input of the patient_id parameter in the checkin.php file to prevent cross site scripting (XSS) code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2150 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this vulnerability. Upgrade is recommended.
Upgrade to a patched version of the software. If upgrading is not possible, implement input validation and sanitization and consider using a WAF.
A public exploit is available, suggesting a high probability of active exploitation.
Refer to the SourceCodester website or relevant security mailing lists for official advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.