VYPR
← All advisories
Unrated severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-36324

CVE-2026-36324

Description

SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) due to improper handling of user supplied input in the user registration functionality in register.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in SourceCodester Doctor Appointment System 1.0 allows unauthenticated attackers to execute arbitrary JavaScript in the admin panel via user registration fields.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Doctor Appointment System version 1.0 [1]. The user registration functionality in register.php does not properly sanitize user-supplied input, allowing an attacker to inject arbitrary JavaScript. The injected payload is stored in the database and later rendered without output encoding in the administrative user management interface at admin/users.php [2].

Exploitation

An unauthenticated attacker can access the registration form at /register.php and insert a malicious JavaScript payload (e.g., `) into the first name, last name, or email fields. When an administrator views the user list on the Admin Dashboard at /admin/users.php`, the payload is executed in the administrator's browser context [2]. No user interaction or authentication is required to trigger the stored payload.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administrator's session. This can lead to theft of session cookies, defacement, and potentially full administrative account takeover, compromising the confidentiality and integrity of the application [2]. The CVSS v3.1 score is 6.5 (Medium) due to network attack vector, low complexity, no privileges required, and no user interaction needed [2].

Mitigation

As of the publication date, no official patch has been released by SourceCodester. Users are advised to implement input validation and output encoding for all user-supplied data in the registration form and the admin user management interface. Consider applying a web application firewall (WAF) with XSS rules or filtering the affected fields manually until a fix is available [1][2].

References
  1. Doctor Appointment System Using PHP and MySQL with Source Code
  2. MyCVE-Disclosures/rems-DoctorAppointmentSystem/CVE-2026-36324/README.md at main · adhiyaksactf/MyCVE-Disclosures

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper handling of user-supplied input in the user registration functionality allows stored cross-site scripting."

Attack vector

An unauthenticated attacker accesses the registration form at `/register.php` and submits a malicious JavaScript payload (e.g. `<script>alert(document.cookie)</script>`) in fields such as first name, last name, or email. The payload is stored in the database and later executed when an administrator views the user list at `/admin/users.php`, allowing arbitrary script execution in the admin's browser context [ref_id=1].

Affected code

The vulnerability resides in the user registration functionality in `register.php` and the administrative user management interface in `admin/users.php`. The registration form does not sanitize user-supplied input, and the admin panel renders that stored data without output encoding.

What the fix does

The advisory does not provide a patch. The recommended remediation is to properly validate and sanitize all user-supplied input on the registration form and to apply context-appropriate output encoding (e.g. HTML entity encoding) when rendering stored data in the administrative user management interface [ref_id=1].

Preconditions

  • networkAttacker must be able to access the public registration form at /register.php
  • authAn administrator must visit the user management page at /admin/users.php to trigger the stored payload

Reproduction

As an unauthenticated user, access the registration form at `/register.php`. Insert the sample JavaScript payload `<script>alert(document.cookie)</script>` into the affected input fields (first name, last name, email). When an administrator views the user list at `/admin/users.php`, the injected payload is rendered and executed [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.