CVE-2026-1146 identifies a cross-site scripting vulnerability in the Patients Waiting Area Queue Management System version 1.0 developed by SourceCodester. The vulnerability is located in the /php/api_register_patient.php endpoint, specifically in the handling of the firstName and lastName parameters. These parameters are susceptible to injection of malicious scripts due to insufficient input sanitization and output encoding. An attacker can exploit this remotely by crafting malicious input that, when processed and rendered by the application, executes arbitrary JavaScript in the context of the victim's browser. This can lead to various attack scenarios including session hijacking, theft of authentication tokens, or manipulation of displayed content. The vulnerability requires low privileges (PR:L) but does not require authentication (AT:N) and user interaction is necessary (UI:P), such as a user clicking a malicious link or viewing a compromised page. The CVSS 4.0 vector indicates no impact on confidentiality (VC:N), limited impact on integrity (VI:L), and no impact on availability (VA:N). The vulnerability has been publicly disclosed but no known exploits are currently reported in the wild. The lack of vendor patches at the time of disclosure means organizations must implement manual mitigations or monitor for updates. Given the nature of the system—managing patient queues and potentially sensitive patient information—the exploitation of this vulnerability could undermine trust and violate data protection regulations.

For European organizations, particularly those in the healthcare sector, this vulnerability poses a risk to patient data confidentiality and integrity. Exploitation could allow attackers to steal session cookies or credentials, leading to unauthorized access to patient information or administrative functions. This could result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential disruption of healthcare services. Since the system manages patient queues, manipulation could also affect operational availability indirectly by causing confusion or denial of service through malicious script execution. The medium severity rating reflects the moderate impact and ease of exploitation, but the sensitive context of healthcare data elevates the importance of timely mitigation. European healthcare providers using this system or similar SourceCodester products should be vigilant, as attackers may target such systems to gain footholds or exfiltrate protected health information.

Organizations should immediately review and sanitize all user inputs, especially the firstName and lastName parameters in the /php/api_register_patient.php endpoint, using strict whitelist validation and context-appropriate output encoding to prevent script injection. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. Monitor web application logs for suspicious input patterns indicative of exploitation attempts. If available, apply vendor patches promptly once released. Conduct security testing, including automated and manual penetration tests, focusing on input validation and XSS vectors. Educate users and administrators about the risks of clicking unknown links or interacting with untrusted content. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting this application. Regularly update and patch all components of the healthcare IT environment to reduce exposure to known vulnerabilities.