{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5179", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T18:58:56.794Z", "datePublished": "2026-03-31T04:00:18.639Z", "dateUpdated": "2026-03-31T13:49:31.730Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T04:00:18.639Z"}, "title": "SourceCodester Simple Doctors Appointment System login.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Simple Doctors Appointment System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T21:04:08.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "dyh18 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354247", "name": "VDB-354247 | SourceCodester Simple Doctors Appointment System login.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354247/cti", "name": "VDB-354247 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780353", "name": "Submit #780353 | SourceCodester Simple Doctor's Appointment System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dyh1213-wq/cve/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:49:23.779439Z", "id": "CVE-2026-5179", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:49:31.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5179", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:49:23.779439Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:49:27.299Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Simple Doctors Appointment System login.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "dyh18 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "product": "Simple Doctors Appointment System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-30T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-30T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-30T21:04:08.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354247", "name": "VDB-354247 | SourceCodester Simple Doctors Appointment System login.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354247/cti", "name": "VDB-354247 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780353", "name": "Submit #780353 | SourceCodester Simple Doctor's Appointment System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dyh1213-wq/cve/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T04:00:18.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5179", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:49:31.730Z", "dateReserved": "2026-03-30T18:58:56.794Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-31T04:00:18.639Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en SourceCodester Simple Doctors Appointment System 1.0. Esto afecta una parte desconocida del archivo /admin/login.php. La manipulaci\u00f3n del argumento Username resulta en inyecci\u00f3n SQL. El ataque puede ser ejecutado remotamente. El exploit ahora es p\u00fablico y puede ser usado."}], "id": "CVE-2026-5179", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-31T05:16:11.920", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/dyh1213-wq/cve/issues/3"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780353"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354247"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354247/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "Simple Doctors Appointment System", "source": "cna", "vendor": "SourceCodester"}, "product": "doctor_appointment_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-31T05:52:15.565991+00:00", "value": {"mitigation_remediation": ["Check for an official patch from SourceCodester and apply it immediately. If no patch is available, modify the login logic to use prepared statements or parameterized queries for all user input before forming SQL statements. Restrict direct access to /admin/login.php by implementing IP whitelisting or requiring VPN access. Reduce the privileges of the database user used by the application to limit damage in case of injection. Continuously monitor authentication logs for repeated SQL syntax errors or unusual request patterns that may indicate attempted exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "SourceCodester Simple Doctors Appointment System version 1.0 runs on web servers that expose the /admin/login.php endpoint to external clients. The vulnerability affects that specific module of the application.", "description_and_impact": "The flaw exists in the Username field of /admin/login.php. An attacker can inject arbitrary SQL that is executed by the backend without proper sanitization, allowing bypass of authentication and unauthorized read, alteration or deletion of appointment records and other confidential data stored in the database.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates a moderate risk level. The EPSS score is not available and it is not listed in the CISA KEV, suggesting no widespread exploitation has been confirmed yet. However, the publicly available exploit code implies that automated scanners could discover and target this flaw from any network, and attackers would only need to send crafted HTTP requests to trigger the injection. Based on the description that the exploit is public, it is inferred that automated scanners could detect and exploit this flaw from any network."}}}}, "created": "2026-03-31T19:56:19.417251+00:00", "updated": "2026-04-03T09:10:33.845739+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$doctor_appointment_system"]}