CVE-2026-3171
Received Received - Intake
Cross-Site Scripting in Patients Waiting Area Queue Management System

Publication date: 2026-02-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /queue.php. This manipulation of the argument firstname/lastname causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3171
EUVD
EUVD-2026-8633
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pamzey patients_waiting_area_queue_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3171 is a Stored Cross-Site Scripting (XSS) vulnerability found in version 1.0 of the SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System, specifically in the /queue.php file.

The vulnerability occurs because the firstname and lastname parameters submitted during patient registration are not properly sanitized or output-encoded before being stored in the database and displayed on the public-facing queue monitor.

An attacker can exploit this by injecting malicious JavaScript payloads into these name fields, which then execute automatically for any user viewing the queue page, including public kiosks or waiting area displays.

This issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and can be exploited remotely without local access, but requires user interaction by the victim.

Impact Analysis

The vulnerability allows execution of arbitrary scripts on public monitors displaying the queue, which can lead to several security risks.

  • Defacement of the queue display, causing misinformation or disruption.
  • Hijacking of administrative sessions if authorized personnel view the affected queue page, potentially leading to unauthorized access.
  • Execution of persistent malicious scripts on public kiosks or waiting area displays, which can compromise data integrity and user trust.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the /queue.php page of the Patients Waiting Area Queue Management System is vulnerable to cross-site scripting via the firstname and lastname parameters.'}, {'type': 'paragraph', 'content': 'One method to identify potentially vulnerable targets is to use Google dorking with queries such as inurl:queue.php to find exposed instances of the affected page.'}, {'type': 'paragraph', 'content': 'A practical detection approach is to attempt injecting a benign JavaScript payload into the firstname or lastname fields during patient registration and then observe if the script executes when viewing the queue.php page.'}, {'type': 'list_item', 'content': 'Use a web browser or curl to submit a registration with a payload like "><img src=x onerror=alert(1)>" in the firstname or lastname fields.'}, {'type': 'list_item', 'content': 'Access the /queue.php page and check if an alert box or injected script executes, indicating the presence of the vulnerability.'}] [1, 3]

Mitigation Strategies

No known mitigations or countermeasures have been documented for this vulnerability.

The suggested immediate step is to replace the affected software with an alternative product that does not contain this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart