Platform
php
Component
proof-of-concept
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in SourceCodester Doctor Appointment System version 1.0. This weakness resides within the /register.php file, specifically affecting the sign-up page functionality. Exploitation involves manipulating the Email argument, allowing attackers to inject malicious scripts. Affected users should prioritize upgrading to a patched version to mitigate this risk.
Successful exploitation of CVE-2026-3302 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to a variety of malicious actions, including session hijacking, credential theft, and defacement of the application. The attacker could potentially steal sensitive patient data or gain unauthorized access to administrative functions. Given the public availability of the exploit, the risk of immediate exploitation is significant. The impact is amplified if the application is used in a healthcare setting, where patient privacy is paramount.
The exploit for CVE-2026-3302 has been publicly disclosed, indicating a high probability of exploitation. It is currently not listed on KEV or EPSS, but the public availability of the exploit warrants immediate attention. The vulnerability was published on 2026-02-27, suggesting a relatively recent discovery.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3302 is to upgrade to a patched version of Doctor Appointment System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation and output encoding on the Email field in /register.php. A Web Application Firewall (WAF) can be configured to block requests containing suspicious characters or patterns in the Email parameter. Regularly review and update WAF rules to address evolving attack techniques. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
Update to a patched version of the Doctor Appointment System. If a patched version is not available, it is recommended to sanitize user inputs, especially the 'Email' field in the registration form, to prevent the execution of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3302 is a cross-site scripting vulnerability in Doctor Appointment System 1.0, allowing attackers to inject malicious scripts via the Email parameter in /register.php.
If you are using Doctor Appointment System version 1.0, you are potentially affected. Upgrade as soon as possible.
Upgrade to a patched version of Doctor Appointment System. If a patch is unavailable, implement input validation and output encoding, and consider a WAF.
The exploit is publicly available, indicating a high probability of active exploitation. Immediate action is recommended.
Check the SourceCodester website and relevant security forums for updates and advisories related to CVE-2026-3302.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.