{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37598", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T15:26:27.302Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T14:16:51.088Z"}, "descriptions": [{"lang": "en", "value": "SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/RCE-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:26:18.510607Z", "id": "CVE-2026-37598", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:26:27.302Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-37598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:26:18.510607Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:25:30.597Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/RCE-1.md"}], "descriptions": [{"lang": "en", "value": "SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T14:16:51.088Z"}}}, "cveMetadata": {"cveId": "CVE-2026-37598", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:26:27.302Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings."}], "id": "CVE-2026-37598", "lastModified": "2026-04-17T15:32:21.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T15:16:33.750", "references": [{"source": "cve@mitre.org", "url": "https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/RCE-1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "patient_appointment_scheduler_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-16T02:34:53.973191+00:00", "value": {"mitigation_remediation": ["Deploy any vendor\u2011supplied update or patch that addresses the RCE in the update_settings method as soon as it becomes available.", "Limit access to the update_settings endpoint by enforcing authentication or restricting access to trusted administrators or specific IP ranges.", "Enable application\u2011level logging and monitor server logs for unusual activity targeting the update_settings request to detect exploitation attempts.", "If a patch cannot be applied immediately, disable the update_settings functionality or remove the vulnerable file to block exploitation until a fix is applied.", "Keep the underlying platform, PHP runtime, and all third\u2011party components up to date with security patches to reduce the overall attack surface."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution via vulnerable System Settings update"}, "threat_synthesis": {"affected_systems": "The affected product is SourceCodester Patient Appointment Scheduler System version 1.0. The flaw is confined to the SystemSettings update functionality in the web application; no other products or versions have been identified as vulnerable.", "description_and_impact": "SourceCodester Patient Appointment Scheduler System version 1.0 contains an RCE vulnerability in the update_settings endpoint located at /scheduler/classes/SystemSettings.php?f=update_settings. The code fails to validate or sanitize input, so a crafted request allows an attacker to execute arbitrary PHP code on the server. This grants the attacker full control over the web application environment, potentially exposing sensitive data, modifying configuration, or disrupting service, thereby compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 2.7 denotes low severity; however, the vulnerability is a classic RCE that can be triggered by any user who can send a request to the exposed endpoint, with no authentication required. The EPSS score is below 1%, indicating a low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Based on the description the attack vector is a remote web request that supplies malicious input to the vulnerable endpoint."}}}}, "created": "2026-04-14T16:16:41.867086+00:00", "title": "Arbitrary Code Execution via Unvalidated Settings Update in Patient Appointment Scheduler System", "updated": "2026-04-16T02:45:06.080978+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$patient_appointment_scheduler_system"]}