CVE-2026-1146 is a cross-site scripting vulnerability identified in version 1.0 of the SourceCodester Patients Waiting Area Queue Management System, specifically within the /php/api_register_patient.php endpoint. The vulnerability arises due to insufficient sanitization of user-supplied input in the firstName and lastName parameters, which are used in the patient registration process. An attacker can craft malicious JavaScript payloads and inject them into these parameters, which, when rendered in a victim's browser, execute arbitrary scripts. This can lead to theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of the victim. The attack vector is remote and does not require prior authentication, although it does require user interaction to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited impact on confidentiality (VC:N), integrity (VI:L), and no impact on availability (VA:N). The vulnerability has been publicly disclosed but no known exploits are currently active in the wild. The lack of a vendor patch link suggests that a fix may not yet be available, emphasizing the need for defensive measures. This vulnerability is particularly concerning for healthcare environments where patient data confidentiality and system integrity are critical. Attackers exploiting this flaw could compromise patient information or disrupt queue management processes, potentially affecting healthcare service delivery.

For European organizations, particularly those in the healthcare sector using the affected queue management system, this vulnerability poses a risk to patient data confidentiality and system integrity. Successful exploitation could allow attackers to steal session tokens, impersonate users, or inject malicious content into the application interface, potentially leading to phishing attacks or unauthorized data access. This could undermine patient trust, violate data protection regulations such as GDPR, and result in reputational damage and financial penalties. Additionally, disruption of queue management could impact operational efficiency in healthcare facilities, delaying patient care. The medium CVSS score reflects moderate risk, but the healthcare context elevates the importance of addressing this issue promptly. The absence of known exploits reduces immediate risk but the public disclosure increases the likelihood of future attacks. European healthcare providers must consider the potential for targeted attacks given the sensitive nature of the data and criticality of the service.

1. Implement strict input validation and sanitization on the firstName and lastName parameters to ensure that no executable scripts or HTML tags can be injected. 2. Apply output encoding/escaping on all user-supplied data before rendering it in the web interface to prevent script execution. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. 4. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. 5. Educate staff and users about the risks of clicking on suspicious links or inputs that could trigger XSS attacks. 6. If possible, isolate or sandbox the queue management system to limit the impact of any compromise. 7. Engage with the vendor or community to obtain or develop patches addressing this vulnerability. 8. Regularly update and audit all web-facing applications for similar vulnerabilities. 9. Consider deploying Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting this system. 10. Conduct penetration testing and vulnerability scanning focused on input validation weaknesses in the affected application.