CVE-2026-2154
Cross-Site Scripting in Patients Queue Management Registration Module
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pamzey | patients_waiting_area_queue_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2154 is a cross-site scripting (XSS) vulnerability found in the SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System version 1.0, specifically in the Patient Registration module within the file /registration.php.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper neutralization of user-controllable input in the "First Name" parameter, allowing an attacker to inject malicious scripts.'}, {'type': 'paragraph', 'content': "This means that when a user inputs data into the First Name field, the system does not properly sanitize or encode this input, enabling an attacker to insert harmful JavaScript code that can be executed in other users' browsers."}, {'type': 'paragraph', 'content': 'The exploit can be performed remotely without authentication but requires user interaction to trigger the malicious script.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows attackers to inject and execute arbitrary scripts in the context of the affected web application.
- Attackers can hijack user sessions.
- It can lead to defacement of the web application.
- Malicious activities such as stealing sensitive information or manipulating the application behavior can occur.
Because the vulnerability is remotely exploitable and publicly known, attackers can easily target vulnerable systems, increasing the risk of compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying instances of the vulnerable application using Google dorking techniques such as searching for "inurl:registration.php" to find exposed registration pages.'}, {'type': 'paragraph', 'content': 'To confirm the presence of the vulnerability, you can test the "First Name" input field in the /registration.php page by injecting simple JavaScript payloads (e.g., <script>alert(1)</script>) and observing if the script executes when the input is displayed later.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided, but manual testing via a web browser or automated scanning tools that detect cross-site scripting (XSS) vulnerabilities targeting the "First Name" parameter in the Patient Registration module can be used.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures have been reported for this vulnerability.
It is suggested to replace the affected software with an alternative product to avoid the risk posed by this vulnerability.