CVE-2026-1148
Unknown Unknown - Not Provided

Cross-Site Request Forgery in Patrick Mvuma Queue System

Vulnerability report for CVE-2026-1148, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: VulDB

Description

A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-07-06
AI Q&A
2026-01-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester patrick_mvuma_patients_waiting_area_queue_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-1148 is a Cross-Site Request Forgery (CSRF) vulnerability in the Patrick Mvuma Patients Waiting Area Queue Management System version 1.0. It occurs because the patient registration endpoint does not implement any CSRF protection, such as anti-CSRF tokens. This allows an attacker to trick an authenticated user into unknowingly submitting unauthorized requests, such as creating patient records, without their consent. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to perform unauthorized actions on your behalf within the affected system, specifically creating patient records without your knowledge or consent. This compromises the integrity of the system and may lead to unauthorized data manipulation. The attack can be launched remotely and is easy to exploit, potentially causing operational disruptions or data inconsistencies. [1, 2]

Detection Guidance

Detection can focus on monitoring requests to the patient registration endpoint `pqms/php/api_register_patient.php` for unauthorized or suspicious POST requests that create patient records without proper CSRF tokens. Network traffic inspection tools or web application firewalls (WAF) can be used to log and analyze such requests. Specific commands depend on your environment, but for example, using curl to test the endpoint without CSRF tokens or using tools like Burp Suite to intercept and analyze requests may help identify the vulnerability. However, no specific detection commands or public exploits are documented. [1, 2]

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection mechanisms such as anti-CSRF tokens on the patient registration endpoint to validate legitimate user requests. If modifying the software is not feasible, consider restricting access to the vulnerable endpoint via network controls or web application firewalls. Additionally, replacing the affected software with an alternative product is suggested as a mitigation. Since no known countermeasures or patches are documented, these steps are recommended to reduce risk. [1, 2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart