Platform
php
Component
cveproject
Opgelost in
1.0.1
1.0.1
CVE-2026-2149 is a cross-site scripting (XSS) vulnerability affecting the Patients Waiting Area Queue Management System developed by SourceCodester/Patrick Mvuma. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts version 1.0 of the system and is triggered by manipulating the patient_id parameter within the /appointments.php file. A fix is pending, and mitigation strategies are recommended.
Successful exploitation of CVE-2026-2149 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including stealing user credentials (session hijacking), redirecting users to phishing sites, or defacing the application's interface. The attacker can potentially gain access to sensitive patient data if the application handles such information. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems that are not promptly patched or protected by mitigating controls.
The vulnerability details were publicly disclosed on 2026-02-08, and a proof-of-concept exploit is already available. This significantly increases the likelihood of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Active campaigns targeting this vulnerability are possible given the ease of exploitation.
Healthcare providers and organizations utilizing the Patients Waiting Area Queue Management System, particularly those hosting the application on shared hosting environments, are at increased risk. Systems with weak input validation or lacking WAF protection are especially vulnerable.
• generic web: Use curl to test the /appointments.php endpoint with various patient_id parameters containing XSS payloads (e.g., <script>alert(1)</script>).
• generic web: Examine access and error logs for requests to /appointments.php containing suspicious characters or patterns.
• generic web: Check response headers for signs of XSS injection (e.g., unexpected script tags).
curl -X GET "/appointments.php?patient_id=<script>alert(1)</script>"disclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
While a patch is not yet available, several mitigation strategies can reduce the risk associated with CVE-2026-2149. Implement a Web Application Firewall (WAF) with rules to filter out malicious input targeting the patient_id parameter in /appointments.php. Input validation and sanitization on the server-side are crucial to prevent XSS attacks. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Regularly monitor application logs for suspicious activity related to the /appointments.php endpoint. After implementing WAF rules, verify their effectiveness by attempting to inject a simple XSS payload.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la inyección de código XSS. Validar y limpiar las entradas del usuario, especialmente el parámetro patient_id en appointments.php. Implementar políticas de seguridad de contenido (CSP).
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2149 is a cross-site scripting (XSS) vulnerability in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using version 1.0 of the Patients Waiting Area Queue Management System, you are potentially affected by this vulnerability. Assess your environment and implement mitigation strategies.
A patch is not yet available. Implement WAF rules, input validation, and Content Security Policy (CSP) as temporary mitigations.
A proof-of-concept exploit is publicly available, increasing the likelihood of active exploitation. Monitor your systems closely.
Check the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-2149.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.