CVE-2026-5180
Published: 31 March 2026
Summary
CVE-2026-5180 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-5180 is a SQL injection vulnerability in SourceCodester Simple Doctors Appointment System 1.0, affecting unknown code in the file /admin/ajax.php?action=login2. The flaw arises from manipulation of the 'email' argument, enabling SQL injection attacks. Published on 2026-03-31T05:16:12.143, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the affected application's database.
Advisories and further details are documented on VulDB at https://vuldb.com/vuln/354248 and related pages, with a GitHub issue at http://github.com/dyh1213-wq/cve/issues/4. The application's source is available at https://www.sourcecodester.com/. An exploit has been published and may be used, heightening real-world exploitation risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17313
Vulnerability details
A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=login2. This manipulation of the argument email causes sql injection. The attack is possible to be carried out remotely. The…
more
exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable SQL injection in a public-facing web application (/admin/ajax.php), directly enabling T1190 (Exploit Public-Facing Application) for initial access and database manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the 'email' parameter in /admin/ajax.php?action=login2.
SI-2 requires timely identification, reporting, and remediation of flaws, directly addressing the SQL injection vulnerability in this CVE through patching.
RA-5 mandates vulnerability scanning that would detect SQL injection issues like CVE-2026-5180 in the login endpoint and trigger remediation.