Plateforme
php
Composant
cveproject
Corrigé dans
1.0.1
1.0.1
CVE-2026-2150 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester's Patients Waiting Area Queue Management System, versions 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the /checkin.php file and is triggered by manipulating the patient_id argument. A public exploit is already available.
Successful exploitation of CVE-2026-2150 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed on the application. The impact is particularly severe if the application handles sensitive patient data, as an attacker could potentially access or modify this information. The availability of a public exploit significantly increases the risk of widespread exploitation.
CVE-2026-2150 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was published on 2026-02-08. The availability of a public exploit suggests that attackers are actively seeking to exploit this vulnerability. No KEV listing or EPSS score is currently available.
Healthcare providers and organizations utilizing the Patients Waiting Area Queue Management System version 1.0 are at significant risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account. Organizations with limited security expertise or resources may be less likely to implement timely mitigations.
• php / web: Examine access logs for requests to /checkin.php with unusual or suspicious values in the patient_id parameter. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers). • generic web: Use curl/wget to test the /checkin.php endpoint with various payloads to see if they are reflected in the response. • generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS attacks even if the vulnerability exists.
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2150 is to upgrade to a patched version of the Patients Waiting Area Queue Management System. Since no fixed version is specified, consider reverting to a previous known-good version if upgrading causes instability. As a temporary workaround, implement strict input validation and sanitization on the patient_id parameter within the /checkin.php file. Web application firewalls (WAFs) can be configured to filter out malicious input patterns associated with XSS attacks. Regularly review and update security rules to address emerging threats.
Mettre à jour le système Patients Waiting Area Queue Management System vers une version ultérieure à la 1.0, si elle existe, ou appliquer un correctif qui filtre et échappe correctement l'entrée du paramètre patient_id dans le fichier checkin.php afin d'éviter l'injection de code XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2150 is a cross-site scripting (XSS) vulnerability in SourceCodester's Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using Patients Waiting Area Queue Management System version 1.0, you are potentially affected by this vulnerability. Upgrade is recommended.
Upgrade to a patched version of the software. If upgrading is not possible, implement input validation and sanitization and consider using a WAF.
A public exploit is available, suggesting a high probability of active exploitation.
Refer to the SourceCodester website or relevant security mailing lists for official advisories regarding this vulnerability.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.