CVE-2026-2149 is a cross-site scripting (XSS) vulnerability identified in SourceCodester's Patients Waiting Area Queue Management System version 1.0. The flaw resides in the /appointments.php endpoint, specifically in the handling of the patient_id parameter. Due to insufficient input sanitization and output encoding, an attacker can inject malicious JavaScript code that executes in the context of the victim's browser when they access a crafted URL or page. This vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the malicious script. The impact of successful exploitation includes theft of session cookies, redirection to malicious sites, or execution of arbitrary scripts leading to compromised user accounts or data leakage. The CVSS 4.0 base score is 5.3 (medium), reflecting the network attack vector, low complexity, no privileges required, but requiring user interaction and having limited impact on integrity. No patches have been officially released yet, and no known exploits are reported in the wild, but public exploit code availability increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is used primarily in healthcare settings to manage patient queues and appointments, making confidentiality and integrity of patient data a critical concern. The lack of secure coding practices in input handling highlights the need for immediate remediation to prevent potential attacks.

For European organizations, particularly those in the healthcare sector using the affected queue management system, this vulnerability poses risks to patient data confidentiality and system integrity. Exploitation could allow attackers to hijack user sessions, steal sensitive patient information, or manipulate appointment data, undermining trust in healthcare services. Additionally, successful XSS attacks can serve as a foothold for further attacks such as phishing or malware distribution within the organization. The impact on availability is limited, but reputational damage and regulatory non-compliance (e.g., GDPR) due to data breaches could have significant consequences. Given the critical nature of healthcare services, even medium-severity vulnerabilities warrant prompt attention to avoid disruption and data compromise.

Organizations should immediately review and sanitize all inputs, especially the patient_id parameter in /appointments.php, implementing strict input validation and output encoding to prevent script injection. If vendor patches become available, they should be applied without delay. In the interim, deploying a web application firewall (WAF) with rules to detect and block XSS payloads targeting this parameter can reduce risk. Conduct security code reviews and penetration testing focused on input handling in the application. Educate users and administrators about the risks of clicking on suspicious links. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources, limiting the impact of potential XSS attacks. Regularly monitor logs for suspicious activity related to this vulnerability and maintain an incident response plan tailored to web application attacks.