Cross-Site Scripting in Patrick Mvuma Patients Waiting Area Queue Management System
CVE-2026-1147

5.1MEDIUM

Key Information:

Vendor

Sourcecodester
Status
Patients Waiting Area Queue Management System
Vendor
CVE Published:
19 January 2026

What is CVE-2026-1147?

A cross-site scripting (XSS) vulnerability exists in the Patrick Mvuma Patients Waiting Area Queue Management System 1.0, particularly in the /php/api_patient_schedule.php file. Attackers can manipulate the 'Reason' argument to execute arbitrary JavaScript in a victim's browser, potentially leading to data theft or session hijacking. This vulnerability can be exploited remotely, making it a considerable risk to users of the system. Publicly available exploits could facilitate actual attacks.

Affected Version(s)

Patients Waiting Area Queue Management System 1.0

Patients Waiting Area Queue Management System 1.0

References

https://vuldb.com/?id.341740
vdb-entrytechnical-description
https://vuldb.com/?ctiid.341740
signaturepermissions-required
https://vuldb.com/?submit.735544
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bobsux (VulDB User)
JSON
.