CVE-2026-1148
Cross-Site Request Forgery in Patrick Mvuma Queue System
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | patrick_mvuma_patients_waiting_area_queue_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1148 is a Cross-Site Request Forgery (CSRF) vulnerability in the Patrick Mvuma Patients Waiting Area Queue Management System version 1.0. It occurs because the patient registration endpoint does not implement any CSRF protection, such as anti-CSRF tokens. This allows an attacker to trick an authenticated user into unknowingly submitting unauthorized requests, such as creating patient records, without their consent. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform unauthorized actions on your behalf within the affected system, specifically creating patient records without your knowledge or consent. This compromises the integrity of the system and may lead to unauthorized data manipulation. The attack can be launched remotely and is easy to exploit, potentially causing operational disruptions or data inconsistencies. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring requests to the patient registration endpoint `pqms/php/api_register_patient.php` for unauthorized or suspicious POST requests that create patient records without proper CSRF tokens. Network traffic inspection tools or web application firewalls (WAF) can be used to log and analyze such requests. Specific commands depend on your environment, but for example, using curl to test the endpoint without CSRF tokens or using tools like Burp Suite to intercept and analyze requests may help identify the vulnerability. However, no specific detection commands or public exploits are documented. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF protection mechanisms such as anti-CSRF tokens on the patient registration endpoint to validate legitimate user requests. If modifying the software is not feasible, consider restricting access to the vulnerable endpoint via network controls or web application firewalls. Additionally, replacing the affected software with an alternative product is suggested as a mitigation. Since no known countermeasures or patches are documented, these steps are recommended to reduce risk. [1, 2]