CVE-2026-4473
Published: 20 March 2026
Summary
CVE-2026-4473 is a medium-severity Injection (CWE-74) vulnerability in Unguardable Online Doctor Appointment System. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4473 is a SQL injection vulnerability in the itsourcecode Online Doctor Appointment System 1.0, affecting the processing of the file /admin/appointment_action.php. The issue arises from improper handling of the appointment_id parameter, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It has a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by attackers who have high privileges, such as administrative access, with low attack complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads. The exploit is public and available for use.
Advisories and details are documented in references including a GitHub issue at https://github.com/sjkdhl/public/issues/2, the vendor site at https://itsourcecode.com/, and VulDB entries at https://vuldb.com/?ctiid.351763, https://vuldb.com/?id.351763, and https://vuldb.com/?submit.772883. No specific patch or mitigation details are provided in the available information.
The public availability of the exploit increases the risk for unpatched instances of the affected system.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13589
Vulnerability details
A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is…
more
now public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/admin/appointment_action.php) directly enables exploitation of the application for initial or post-auth access (T1190); arbitrary SQL execution facilitates database querying (T1213.006) and stored data manipulation (T1565.001) with the described C/I/A impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by validating and sanitizing the appointment_id parameter before its use in SQL queries in /admin/appointment_action.php.
Establishes a flaw remediation process to identify, prioritize, test, and patch the SQL injection vulnerability in the Online Doctor Appointment System.
Supports detection of the publicly disclosed SQL injection vulnerability through vulnerability scanning of the affected application.