CVE-2026-2150
Cross-Site Scripting in Patients Waiting Area Queue System
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pamzey | patients_waiting_area_queue_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable parameter "patient_id" in the /checkin.php page of the Patients Waiting Area Queue Management System version 1.0.'}, {'type': 'paragraph', 'content': 'One method to identify potentially vulnerable targets is to use Google dorking with queries such as: inurl:checkin.php'}, {'type': 'paragraph', 'content': 'Additionally, testing the patient_id parameter for cross-site scripting (XSS) by injecting typical XSS payloads and observing if the input is improperly sanitized can help detect the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, using curl or wget commands to send requests with crafted patient_id parameters containing script tags or encoded characters can help verify if the system is vulnerable.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been documented for this vulnerability.
It is suggested to replace the affected software with an alternative product that does not contain this vulnerability.
As an immediate step, restricting access to the vulnerable /checkin.php page or applying web application firewall (WAF) rules to block malicious input targeting the patient_id parameter may help reduce risk.
Ultimately, applying proper input sanitization and validation in the source code to neutralize user-controllable input is required to fully mitigate the issue.
Can you explain this vulnerability to me?
CVE-2026-2150 is a Cross-Site Scripting (XSS) vulnerability found in the Patients Waiting Area Queue Management System version 1.0 developed by Patrick Mvuma. The flaw exists in the /checkin.php file, specifically in the patient_id parameter, where improper input sanitization allows an attacker to inject and execute malicious scripts.
This vulnerability can be exploited remotely without authentication, and it requires user interaction to trigger the malicious script execution. The attack involves manipulating the patient_id argument to perform doubled character XSS manipulations, potentially compromising the security of users interacting with the affected web page.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts into the application, which can then be executed in the context of users visiting the affected page. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites.
Since the attack can be initiated remotely without authentication, any user interacting with the vulnerable system could be at risk. The integrity of the system is compromised because attackers can manipulate the content displayed to users, potentially leading to further exploitation or data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know