Cyber Resilience

CVE-2026-3980

MediumPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3980 is a medium-severity Injection (CWE-74) vulnerability in Unguardable Online Doctor Appointment System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3980 is a SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Online Doctor Appointment System version 1.0. The flaw affects an unknown function within the file /admin/patient_action.php, where manipulation of the patient_id argument enables SQL injection.

Remote attackers require no privileges or user interaction and face low attack complexity to exploit the issue, per the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (base score 7.3). Exploitation can result in limited impacts to confidentiality, integrity, and availability.

Advisories are documented on VulDB (ctiid.350415, id.350415, submit.769612), with a proof-of-concept exploit publicly disclosed in the GitHub repository vasable/automatic-parakeet issues/2. The vendor website is itsourcecode.com; no specific patch or mitigation details are provided in the references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in itsourcecode Online Doctor Appointment System 1.0. This impacts an unknown function of the file /admin/patient_action.php. Such manipulation of the argument patient_id leads to sql injection. The attack may be launched remotely. The exploit has…

more

been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated public-facing PHP web app endpoint directly enables remote exploitation of the application per T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3981Same product: Unguardable Online Doctor Appointment System
CVE-2026-4473Same product: Unguardable Online Doctor Appointment System
CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89
CVE-2026-9447Shared CWE-74, CWE-89
CVE-2026-6153Shared CWE-74, CWE-89
CVE-2025-0699Shared CWE-74, CWE-89
CVE-2025-7218Shared CWE-74, CWE-89

Affected Assets

unguardable
online doctor appointment system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs (patient_id) to reject malformed or malicious SQL syntax before it reaches the database.

prevent

Boundary protection devices or WAF rules can inspect and block SQL injection payloads targeting /admin/patient_action.php at the network or application perimeter.

prevent

Enforces that only properly formed, authorized queries are executed against patient records, preventing unauthorized data manipulation via unsanitized input.

References