Platform
php
Component
simple-doctors-appointment-system
Fixed in
1.0.1
CVE-2026-5180 describes a SQL Injection vulnerability discovered in SourceCodester's Simple Doctors Appointment System, specifically version 1.0. This flaw allows attackers to inject malicious SQL code through manipulation of the 'email' parameter within the /admin/ajax.php?action=login2 file. Successful exploitation could result in unauthorized access to sensitive data and compromise the integrity of the system.
The SQL Injection vulnerability in Simple Doctors Appointment System poses a significant risk. An attacker could leverage this flaw to bypass authentication mechanisms and gain unauthorized access to the application's database. This could lead to the exfiltration of sensitive patient data, appointment schedules, and administrative credentials. Furthermore, the attacker might be able to modify or delete data, disrupt system operations, or even execute arbitrary commands on the underlying server, depending on database permissions. The published exploit increases the likelihood of immediate exploitation.
CVE-2026-5180 has been publicly disclosed and an exploit has been published, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but the availability of a public exploit warrants immediate attention. The ease of exploitation, combined with the potential impact on sensitive data, makes this a critical vulnerability to address.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5180 is to upgrade to a patched version of Simple Doctors Appointment System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement Web Application Firewall (WAF) rules to filter potentially malicious SQL injection attempts targeting the /admin/ajax.php?action=login2 endpoint. Additionally, strengthen input validation routines to sanitize user-supplied data, particularly the 'email' parameter, before it is used in database queries. Regularly review database user permissions to limit the potential impact of a successful attack. After implementing these measures, verify their effectiveness by attempting controlled SQL injection tests.
Update to a patched version of the appointment system. Contact the vendor for a corrected version or apply a patch that fixes the (SQL Injection) vulnerability in the file /admin/ajax.php?action=login2. Validate and sanitize user inputs to prevent future attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5180 is a SQL Injection vulnerability affecting Simple Doctors Appointment System version 1.0, allowing attackers to inject malicious SQL code through the /admin/ajax.php?action=login2 file.
If you are using Simple Doctors Appointment System version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of Simple Doctors Appointment System. Until a patch is available, implement WAF rules and input validation as temporary mitigations.
Due to the public availability of an exploit, CVE-2026-5180 is likely being actively exploited or will be shortly.
Check the SourceCodester website and relevant security forums for the official advisory regarding CVE-2026-5180.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.