{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4473", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-19T20:36:23.894Z", "datePublished": "2026-03-20T05:32:12.517Z", "dateUpdated": "2026-03-20T05:32:12.517Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-20T05:32:12.517Z"}, "title": "itsourcecode Online Doctor Appointment System appointment_action.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "Online Doctor Appointment System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-19T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-19T21:41:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "OneChicken (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.351763", "name": "VDB-351763 | itsourcecode Online Doctor Appointment System appointment_action.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351763", "name": "VDB-351763 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.772883", "name": "Submit #772883 | itsourcecode Online Doctor Appointment System V1.0 SQL injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sjkdhl/public/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is now public and may be used."}], "id": "CVE-2026-4473", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:12.997", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/sjkdhl/public/issues/2"}, {"source": "cna@vuldb.com", "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351763"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351763"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.772883"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "online_doctor_appointment_system", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-03-20T06:20:51.576272+00:00", "value": {"mitigation_remediation": ["Check the vendor's website or support portal for a patch or update for Online Doctor Appointment System 1.0", "If a patch is available, apply it immediately to the affected systems", "If no patch is available, implement input validation or use prepared statements for the appointment_id parameter to mitigate SQL injection", "Limit the database user permissions for the application to the minimum required, such as read and write but no administrative rights", "Monitor application and database logs for unusual activity or failed login attempts"], "summary": {"action": "Patch Now", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Key detail from product information: The affected vendor is itsourcecode, product Online Doctor Appointment System. Version 1.0 is known to contain the vulnerability. No other version data is provided, and it is unclear if later releases are affected.", "description_and_impact": "Key detail from description: The Online Doctor Appointment System 1.0 has a SQL injection vulnerability in /admin/appointment_action.php via the appointment_id parameter. The vulnerability permits an attacker to execute arbitrary SQL statements remotely, potentially exposing, modifying or deleting appointment data. The attack is remote and the exploit is publicly available, indicating that anyone can exploit the weakness without needing privileged access.", "risk_and_exploitability": "Key metric from scores: The CVSS base score is 5.1, indicating moderate severity. EPSS data is not available. The vulnerability is not listed in CISA's KEV catalog. The attack vector is remote, and the public availability of the exploit increases the likelihood that attackers will target affected installations. The lack of public patch information suggests that organizations should treat the risk as significant until a vendor update is released."}}}}, "created": "2026-03-20T08:52:26.857282+00:00", "updated": "2026-03-20T10:37:08.684334+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$online_doctor_appointment_system"]}