What is CVE-2026-1146?

A low-severity cross-site scripting vulnerability has been identified in the Pamzey Patients Waiting Area Queue Management System 1.0. Organizations using this system should be aware of the risks and address the vulnerability through appropriate remediation strategies.

What is the severity of CVE-2026-1146?

CVE-2026-1146 has a severity rating of LOW with a CVSS base score of 2.

CVE-2026-1146 | Low Severity Vulnerability in Pamzey Patients Waiting Area Queue Management System

A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

The severity of this vulnerability is classified as low, with a CVSS score of 2. This means that while the risk is present, it is not deemed critical. However, organizations should still prioritize addressing this vulnerability to mitigate potential risks associated with cross-site scripting attacks.

Risk to organizations includes potential unauthorized access to sensitive data through the exploitation of this vulnerability. Attackers may leverage this weakness to inject malicious scripts, which could lead to data theft or session hijacking.

Organizations should address this vulnerability in their patching cycle, as it could represent a vector for further attacks if left unmitigated. Immediate action is recommended to ensure that systems are secure and compliant with security best practices.

Vulnerability Details

The vulnerability allows for cross-site scripting (CWE-79) and is also related to remote code execution (CWE-94). The CVSS score of 2 indicates a low severity level, suggesting that while the risk is present, it is not critical. The affected product is the Patients Waiting Area Queue Management System by Pamzey, version 1.0. This vulnerability was published on January 19, 2026.

Technical Analysis

The root cause of this vulnerability stems from improper validation of user inputs in the API endpoint /php/api_register_patient.php. Attack vectors include network access, with low attack complexity due to the need for only basic user interaction.

The attack requires low privileges and minimal user interaction, allowing potential attackers to exploit the system with relative ease. The confidentiality impact is classified as none, while integrity impact is low.

Risk & Impact Analysis

Real-world deployment risk associated with this vulnerability is moderate. Organizations using the affected system are at risk of data breaches and unauthorized access to sensitive information. The blast radius potential includes all systems that utilize the affected API, potentially exposing a wide range of user data.

Urgency for remediation is low, as indicated by the CVSS score. However, organizations should still prioritize this vulnerability to prevent potential exploitation and enhance overall cybersecurity posture.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected version is SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. All versions prior to vendor patch are vulnerable to this issue.

Mitigation & Remediation

Organizations should prioritize patching the affected systems as soon as possible. If a patch is not available, consider implementing input validation controls and sanitizing user inputs to mitigate the risk of cross-site scripting.

For further guidance on penetration testing and security assessments, organizations can explore options for penetration testing that can help identify similar weaknesses.

Detection Guidance

Monitoring logs for unusual input patterns in the /php/api_register_patient.php endpoint can help detect attempts to exploit this vulnerability. Additionally, look for any anomalous behaviors that may indicate successful exploitation.

AppSecure Threat Intelligence Insight

This vulnerability exemplifies the ongoing need for organizations to maintain strict input validation and security practices in their applications. By understanding the potential impacts of cross-site scripting vulnerabilities, security teams can better prepare their defenses.

For organizations looking to enhance their security posture, consider reviewing best practices for security testing and implementing comprehensive vulnerability management strategies.

Additionally, organizations should focus on developing a robust vulnerability management program to assess and mitigate risks effectively.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-1146: Low Severity Vulnerability in Pamzey Patients Waiting Area Queue Management System