PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9603 SourceCodester CVE debrief

A missing authorization vulnerability in SourceCodester eDoc Doctor Appointment System 1.0 allows remote attackers to manipulate the ID parameter in /admin/delete-session.php without proper authentication. The vulnerability was disclosed publicly on 2026-05-26 with proof-of-concept materials available. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and no user interaction needed, resulting in medium severity (5.5). The weakness is categorized under CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization). No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA KEV.

Vendor
SourceCodester
Product
eDoc Doctor Appointment System
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Organizations running SourceCodester eDoc Doctor Appointment System 1.0; healthcare IT administrators; web application security teams; incident response teams monitoring for unauthorized administrative access attempts

Technical summary

The eDoc Doctor Appointment System 1.0 fails to verify authorization before processing session deletion requests via the ID parameter in /admin/delete-session.php. This allows unauthenticated remote attackers to delete arbitrary sessions. The vulnerability is exploitable over the network without authentication or user interaction. CVSS 4.0 score of 5.5 reflects limited integrity and availability impact with public exploit availability.

Defensive priority

medium

Recommended defensive actions

  • Review and implement proper authorization checks on /admin/delete-session.php before processing ID parameter operations
  • Apply principle of least privilege to administrative session management functions
  • Monitor for unauthorized DELETE or POST requests to /admin/delete-session.php with unexpected ID values
  • Consider implementing additional authentication layers for sensitive administrative operations
  • Review Vuldb advisory and threat intelligence context for additional defensive guidance

Evidence notes

Vulnerability affects /admin/delete-session.php via ID parameter manipulation. Public exploit disclosed. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P. Weaknesses: CWE-862, CWE-863.

Official resources

2026-05-26