Plataforma
php
Componente
cveproject
Corregido en
1.0.1
1.0.1
CVE-2026-2150 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester's Patients Waiting Area Queue Management System, versions 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the /checkin.php file and is triggered by manipulating the patient_id argument. A public exploit is already available.
Successful exploitation of CVE-2026-2150 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed on the application. The impact is particularly severe if the application handles sensitive patient data, as an attacker could potentially access or modify this information. The availability of a public exploit significantly increases the risk of widespread exploitation.
CVE-2026-2150 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was published on 2026-02-08. The availability of a public exploit suggests that attackers are actively seeking to exploit this vulnerability. No KEV listing or EPSS score is currently available.
Healthcare providers and organizations utilizing the Patients Waiting Area Queue Management System version 1.0 are at significant risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account. Organizations with limited security expertise or resources may be less likely to implement timely mitigations.
• php / web: Examine access logs for requests to /checkin.php with unusual or suspicious values in the patient_id parameter. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers). • generic web: Use curl/wget to test the /checkin.php endpoint with various payloads to see if they are reflected in the response. • generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS attacks even if the vulnerability exists.
disclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-2150 is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Since no fixed version is specified, consider reverting to a previous known-good version if upgrading causes instability. As a temporary workaround, implement strict input validation and sanitization on the patient_id parameter within the /checkin.php file. Web application firewalls (WAFs) can be configured to filter out malicious input patterns associated with XSS attacks. Regularly review and update security rules to address emerging threats.
Actualizar el sistema Patients Waiting Area Queue Management System a una versión posterior a la 1.0, si existe, o aplicar un parche que filtre y escape correctamente la entrada del parámetro patient_id en el archivo checkin.php para evitar la inyección de código XSS.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-2150 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this vulnerability. Upgrade is recommended.
Upgrade to a patched version of the software. If upgrading is not possible, implement input validation and sanitization and consider using a WAF.
A public exploit is available, suggesting a high probability of active exploitation.
Refer to the SourceCodester website or relevant security mailing lists for official advisories regarding this vulnerability.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.