Platform
php
Fixed in
1.0.1
A SQL Injection vulnerability has been identified in SourceCodester Simple Doctors Appointment System version 1.0. This flaw resides within the /admin/login.php file and allows attackers to manipulate the Username argument, potentially leading to unauthorized access and data compromise. The vulnerability is remotely exploitable and a public proof-of-concept exists, increasing the risk of exploitation.
The SQL Injection vulnerability in Simple Doctors Appointment System allows an attacker to inject malicious SQL code into the Username field of the login page. This can be exploited to bypass authentication, gaining access to the administrative panel. Successful exploitation could lead to the theft of sensitive patient data, modification of appointment schedules, or even complete control of the database. Given the public availability of a proof-of-concept, the risk of exploitation is significant, particularly for systems with weak security configurations or those not regularly patched. The potential blast radius extends to all data stored within the database, including patient records, appointment details, and administrative credentials.
This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It was disclosed on 2026-03-31. While not currently listed on the CISA KEV catalog, the ease of exploitation and public availability of the PoC warrant close monitoring. Attackers may leverage automated scanning tools to identify vulnerable instances of Simple Doctors Appointment System.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5179 is to upgrade to a patched version of Simple Doctors Appointment System. Unfortunately, a fixed version is not specified in the provided data. As an immediate workaround, implement input validation and sanitization on the Username field to prevent SQL injection attempts. This can be achieved by using parameterized queries or escaping user-supplied input. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide an additional layer of defense. Monitor access logs for suspicious SQL queries targeting the /admin/login.php endpoint.
Update to a patched version of the appointment system. If no version is available, review and sanitize user inputs in the login.php file, especially the Username field, to prevent (SQL Injection). Consider using parameterized queries or an ORM to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5179 is a SQL Injection vulnerability affecting Simple Doctors Appointment System version 1.0, allowing attackers to manipulate database queries through the /admin/login.php file.
If you are using Simple Doctors Appointment System version 1.0 and have not upgraded, you are potentially affected. Assess your environment and implement mitigations immediately.
Upgrade to a patched version of Simple Doctors Appointment System. Since a fixed version is not specified, implement input validation and WAF rules as immediate workarounds.
Yes, a public proof-of-concept exists, indicating a high probability of active exploitation. Monitor your systems closely.
Refer to the SourceCodester website or relevant security forums for updates and advisories regarding CVE-2026-5179.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.