CVE-2026-1146 identifies a cross-site scripting vulnerability in the Patients Waiting Area Queue Management System version 1.0 developed by SourceCodester/Patrick Mvuma. The vulnerability resides in the /php/api_register_patient.php endpoint, specifically in the handling of the firstName and lastName parameters. These parameters are susceptible to injection of malicious JavaScript code due to insufficient input validation and output encoding. An attacker can remotely exploit this vulnerability by crafting a specially designed request that injects script code into these parameters. When a victim user interacts with the affected functionality or views the injected content, the malicious script executes in their browser context. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L), with no impact on availability. Although no public exploits are currently known, the public disclosure increases the likelihood of exploitation attempts. The affected product is primarily used in healthcare environments to manage patient queues, making the confidentiality and integrity of patient data critical. The lack of a vendor patch link suggests that remediation may require manual mitigation or vendor engagement.

The impact of this XSS vulnerability can be significant for organizations using the affected queue management system, particularly in healthcare settings where patient data confidentiality and integrity are paramount. Successful exploitation can allow attackers to execute arbitrary scripts in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. This can compromise patient data privacy and trust, disrupt patient management workflows, and potentially lead to regulatory non-compliance with healthcare data protection laws. Additionally, attackers could use the vulnerability to deliver malware or conduct phishing attacks targeting staff or patients. While the vulnerability does not directly affect system availability, the indirect effects of compromised user accounts or data integrity can cause operational disruptions and reputational damage. The medium severity rating reflects these moderate but impactful risks. Organizations worldwide using this system or similar software with comparable vulnerabilities are at risk, especially if they have not implemented adequate input validation or web application security controls.

To mitigate CVE-2026-1146, organizations should implement the following specific measures: 1) Apply strict input validation on the firstName and lastName parameters to allow only expected characters (e.g., alphabetic characters, spaces, hyphens) and reject or sanitize any input containing script or HTML tags. 2) Employ proper output encoding/escaping techniques when rendering user-supplied data in web pages to prevent script execution. 3) Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. 4) If available, update the Patients Waiting Area Queue Management System to a patched version provided by the vendor; if no patch exists, contact the vendor for remediation guidance. 5) Conduct regular security testing, including automated scanning and manual penetration testing, focusing on input handling and XSS vulnerabilities. 6) Educate users and administrators about the risks of XSS and encourage cautious interaction with unexpected or suspicious inputs. 7) Monitor web server and application logs for unusual requests targeting the vulnerable endpoint to detect potential exploitation attempts early. 8) Consider implementing web application firewalls (WAFs) with rules to detect and block XSS attack patterns targeting the affected parameters.