CVE-2026-1147 is a cross-site scripting vulnerability identified in SourceCodester's Patients Waiting Area Queue Management System version 1.0. The flaw resides in the /php/api_patient_schedule.php script, specifically in the handling of the 'Reason' parameter. The application fails to properly sanitize or encode this input, allowing an attacker to inject arbitrary JavaScript code. This vulnerability can be exploited remotely without authentication, requiring only that a victim interacts with a maliciously crafted URL or input vector. The attack vector involves injecting script code that executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the lack of authentication requirement but the need for user interaction and limited impact on availability. No official patches or updates have been released yet, and while no active exploitation in the wild has been reported, public exploit code is available, increasing the risk of opportunistic attacks. The vulnerability highlights insufficient input validation and output encoding in the affected parameter, a common weakness in web applications. Given the system's role in managing patient queues, exploitation could disrupt healthcare workflows or compromise sensitive patient information indirectly through session compromise or phishing attacks.

For European organizations, particularly those in the healthcare sector using the affected queue management system, this vulnerability poses risks to patient data confidentiality and system integrity. Successful exploitation could allow attackers to steal session cookies or credentials, leading to unauthorized access to patient scheduling information or administrative functions. This could result in privacy violations under GDPR, reputational damage, and potential disruption of patient services. Although the vulnerability does not directly affect system availability, the indirect effects of phishing or defacement could impair trust and operational efficiency. The medium severity rating suggests a moderate risk, but the healthcare context elevates the importance of timely mitigation. Organizations may also face regulatory scrutiny if patient data is compromised. The lack of patches means that organizations must rely on compensating controls until an official fix is available.

1. Implement strict input validation and sanitization on the 'Reason' parameter to ensure no executable scripts can be injected. 2. Apply context-aware output encoding (e.g., HTML entity encoding) before rendering user-supplied data in web pages. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct regular security assessments and code reviews focusing on input handling in the affected application components. 5. Educate users and staff about phishing risks and suspicious links to reduce the chance of successful exploitation. 6. Monitor web server and application logs for unusual requests targeting the vulnerable parameter. 7. If possible, isolate or restrict access to the queue management system to trusted networks or VPNs. 8. Engage with the vendor or community to track patch releases and apply updates promptly once available. 9. Consider deploying Web Application Firewalls (WAF) with rules to detect and block XSS attack patterns targeting the vulnerable endpoint.