Cyber Resilience

CVE-2026-4473

MediumPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4473 is a medium-severity Injection (CWE-74) vulnerability in Unguardable Online Doctor Appointment System. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4473 is a SQL injection vulnerability in the itsourcecode Online Doctor Appointment System 1.0, affecting the processing of the file /admin/appointment_action.php. The issue arises from improper handling of the appointment_id parameter, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It has a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by attackers who have high privileges, such as administrative access, with low attack complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads. The exploit is public and available for use.

Advisories and details are documented in references including a GitHub issue at https://github.com/sjkdhl/public/issues/2, the vendor site at https://itsourcecode.com/, and VulDB entries at https://vuldb.com/?ctiid.351763, https://vuldb.com/?id.351763, and https://vuldb.com/?submit.772883. No specific patch or mitigation details are provided in the available information.

The public availability of the exploit increases the risk for unpatched instances of the affected system.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is…

more

now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection in public-facing web app (/admin/appointment_action.php) directly enables exploitation of the application for initial or post-auth access (T1190); arbitrary SQL execution facilitates database querying (T1213.006) and stored data manipulation (T1565.001) with the described C/I/A impacts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3980Same product: Unguardable Online Doctor Appointment System
CVE-2026-3981Same product: Unguardable Online Doctor Appointment System
CVE-2026-2621Shared CWE-74, CWE-89
CVE-2025-7199Shared CWE-74, CWE-89
CVE-2026-3487Shared CWE-74, CWE-89
CVE-2025-2740Shared CWE-74, CWE-89
CVE-2025-1964Shared CWE-74, CWE-89
CVE-2025-0562Shared CWE-74, CWE-89
CVE-2025-1900Shared CWE-74, CWE-89
CVE-2026-0850Shared CWE-74, CWE-89

Affected Assets

unguardable
online doctor appointment system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by validating and sanitizing the appointment_id parameter before its use in SQL queries in /admin/appointment_action.php.

prevent

Establishes a flaw remediation process to identify, prioritize, test, and patch the SQL injection vulnerability in the Online Doctor Appointment System.

detect

Supports detection of the publicly disclosed SQL injection vulnerability through vulnerability scanning of the affected application.

References