Description
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-06-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw has been found in the create_supplier function of SourceCodester Pharmacy Sales and Inventory System 1.0. A malicious value supplied for the company_name parameter can lead to cross‑site scripting. Because the request can be sent from an external site, the attack can be launched remotely. The vulnerability allows the execution of arbitrary JavaScript in the browser context of users who view the affected page. This maps to CWE-79 and CWE-94.

Affected Systems

The issue affects SourceCodester Pharmacy Sales and Inventory System version 1.0. No other versions or products are identified as impacted by this CVE.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity for this XSS flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the existence of a published exploit and the ability to launch the attack remotely suggest that unpatched installations of version 1.0 are at risk of having malicious scripts executed in users’ browsers.

Generated by OpenCVE AI on June 1, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and deploy the official patch or update from SourceCodester that fixes the XSS flaw in the create_supplier function.
  • Add server‑side filtering to the company_name field so that only expected characters are accepted, rejecting any input that does not match the whitelist.
  • Encode or escape the company_name value when it is inserted into HTML pages, ensuring that any embedded markup is rendered harmless.
  • Configure a Content Security Policy header that disallows inline scripts and restricts script origins, reducing the impact should an XSS payload bypass input filtering.

Generated by OpenCVE AI on June 1, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used.
Title SourceCodester Pharmacy Sales and Inventory System main create_supplier cross site scripting
First Time appeared Sourcecodester
Sourcecodester pharmacy Sales And Inventory System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:sourcecodester:pharmacy_sales_and_inventory_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester pharmacy Sales And Inventory System
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T09:30:09.387Z

Reserved: 2026-05-31T10:15:12.149Z

Link: CVE-2026-10245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-01T11:16:23.603

Modified: 2026-06-01T13:14:43.470

Link: CVE-2026-10245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T13:30:06Z

Weaknesses