CVE-2026-1148
Unknown Unknown - Not Provided
Cross-Site Request Forgery in Patrick Mvuma Queue System

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: VulDB

Description
A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1148
EUVD
EUVD-2026-3228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester patrick_mvuma_patients_waiting_area_queue_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1148 is a Cross-Site Request Forgery (CSRF) vulnerability in the Patrick Mvuma Patients Waiting Area Queue Management System version 1.0. It occurs because the patient registration endpoint does not implement any CSRF protection, such as anti-CSRF tokens. This allows an attacker to trick an authenticated user into unknowingly submitting unauthorized requests, such as creating patient records, without their consent. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to perform unauthorized actions on your behalf within the affected system, specifically creating patient records without your knowledge or consent. This compromises the integrity of the system and may lead to unauthorized data manipulation. The attack can be launched remotely and is easy to exploit, potentially causing operational disruptions or data inconsistencies. [1, 2]

Detection Guidance

Detection can focus on monitoring requests to the patient registration endpoint `pqms/php/api_register_patient.php` for unauthorized or suspicious POST requests that create patient records without proper CSRF tokens. Network traffic inspection tools or web application firewalls (WAF) can be used to log and analyze such requests. Specific commands depend on your environment, but for example, using curl to test the endpoint without CSRF tokens or using tools like Burp Suite to intercept and analyze requests may help identify the vulnerability. However, no specific detection commands or public exploits are documented. [1, 2]

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection mechanisms such as anti-CSRF tokens on the patient registration endpoint to validate legitimate user requests. If modifying the software is not feasible, consider restricting access to the vulnerable endpoint via network controls or web application firewalls. Additionally, replacing the affected software with an alternative product is suggested as a mitigation. Since no known countermeasures or patches are documented, these steps are recommended to reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart