Submit #801204: SourceCodester Patiente Queue Management System (PQMS) 1.0 Code Injectioninfo

TitleSourceCodester Patiente Queue Management System (PQMS) 1.0 Code Injection
DescriptionThe endpoint `php/api_patient_checkin.php` is vulnerable to an unauthenticated SQL Injection via the `appointmentID` parameter. Due to the application running with high-privileged database credentials (root) and the lack of input sanitization, an attacker can escalate this SQLi to **Remote Code Execution (RCE)** using the `INTO OUTFILE` statement to write a PHP web shell into the web root. (PQMS is available at https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html)
Source⚠️ https://gist.github.com/NicolasPauferro/65a7113cd7d7c525ab4b87fa0fa1d5e8
User
 Nicolas Pauferro (UID 96903)
Submission04/09/2026 20:27 (3 months ago)
Moderation04/26/2026 21:34 (17 days later)
StatusDuplicate
VulDB entry332350 [SourceCodester Patients Waiting Area Queue Management System 1.0 api_patient_checkin.php getPatientAppointment appointmentID sql injection]
Points0

Want to know what is going to be exploited?

We predict KEV entries!