CVE-2026-1147 identifies a cross-site scripting vulnerability in the SourceCodester Patients Waiting Area Queue Management System version 1.0. The vulnerability is located in the /php/api_patient_schedule.php endpoint, specifically involving the 'Reason' parameter. An attacker can craft malicious input that is not properly sanitized or encoded before being reflected back to users, enabling the injection and execution of arbitrary JavaScript code in the victim’s browser. This type of vulnerability is classified as reflected XSS, which can be triggered remotely without requiring authentication, although it does require some user interaction such as clicking a crafted link or submitting manipulated input. The exploit allows attackers to steal session cookies, perform actions on behalf of the user, or redirect victims to malicious sites, thereby compromising confidentiality and integrity of user data. The vulnerability does not affect availability directly and does not require elevated privileges to exploit. While no active exploitation has been reported, the public availability of exploit code increases the risk of opportunistic attacks. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, partial user interaction, and limited impact on confidentiality and integrity. The affected product is a queue management system used in healthcare or patient service environments, which may contain sensitive patient scheduling information. No official patches or vendor advisories have been linked yet, emphasizing the need for immediate mitigation steps by administrators.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity through the execution of malicious scripts in users’ browsers. Attackers can hijack user sessions, steal sensitive information such as patient scheduling details, or perform unauthorized actions within the application context. This can lead to privacy violations, reputational damage, and potential regulatory non-compliance for healthcare organizations. Although availability is not directly impacted, successful exploitation could facilitate phishing or social engineering attacks that indirectly disrupt operations. Given the healthcare context, compromised patient data or scheduling information could have downstream effects on patient care coordination. The medium severity rating reflects the moderate risk posed by this vulnerability, balancing ease of exploitation with limited impact scope. Organizations worldwide using this specific queue management system version are at risk, especially those with exposed web interfaces accessible over the internet.

1. Immediate mitigation should include input validation and output encoding on the 'Reason' parameter in /php/api_patient_schedule.php to neutralize malicious scripts. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Employ web application firewalls (WAFs) with rules targeting common XSS attack patterns to block exploit attempts. 4. Restrict access to the queue management system’s web interface to trusted networks or VPNs to reduce exposure. 5. Educate users about the risks of clicking suspicious links or submitting untrusted input. 6. Monitor application logs for unusual input patterns or repeated attempts to exploit the vulnerability. 7. Engage with the vendor or community to obtain or develop official patches or updates addressing this vulnerability. 8. Conduct regular security assessments and penetration tests focusing on input handling and XSS vulnerabilities. 9. Where possible, isolate the queue management system from other critical healthcare infrastructure to limit lateral movement in case of compromise.