CVE-2026-1745
Cross-Site Request Forgery in SourceCodester Medical Certificate Generator
Publication date: 2026-02-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | medical_certificate_generator_app | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1745 is a Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Medical Certificate Generator App version 1.0. It allows attackers to trick authenticated users into submitting malicious POST requests that delete medical certificate records without their consent. The vulnerability exists because the application does not implement anti-CSRF protections such as unique CSRF tokens, strict origin or referer header validation, or SameSite cookie attributes, relying solely on session cookies for authorization. An attacker can exploit this by hosting a malicious webpage that auto-submits a form to delete records when visited by a logged-in user. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary deletion of sensitive medical certificate records, causing data integrity violations. Attackers can abuse this flaw to delete important records without user consent, potentially disrupting medical record management and causing loss of critical data. It also opens the door for phishing or malicious links to exploit authenticated users' sessions to perform unauthorized actions. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the vulnerable endpoint, such as `http://<target>/med/action.php?action=delete_record`. You can look for suspicious POST requests that delete records without user consent. Since the exploit involves CSRF via session cookies, checking web server logs for unexpected POST requests to the delete_record action may help. Additionally, you can test by attempting to reproduce the attack using a crafted HTML form that auto-submits a POST request to the vulnerable endpoint while logged in. There are no specific commands provided, but using tools like curl or browser developer tools to simulate or monitor such POST requests can be effective. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing anti-CSRF protections such as adding unique CSRF tokens to all state-changing POST requests and validating these tokens server-side. Enforce strict origin and referer header checks to ensure requests come from trusted sources. Apply SameSite cookie attributes to session cookies to prevent them from being sent with cross-origin requests. If immediate code changes are not possible, consider restricting access to the vulnerable application or disabling the affected functionality temporarily. Ultimately, replacing or updating the affected software to a version with proper CSRF protections is recommended. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to arbitrarily delete sensitive medical certificate records, leading to data integrity violations and potential unauthorized data manipulation. Such impacts can negatively affect compliance with regulations like GDPR and HIPAA, which require protection of personal and medical data integrity and security. However, specific compliance implications are not detailed in the provided resources. [1, 2]