CVE-2026-10248 - Vulnerability Details

- SourceCodester Pharmacy Sales and Inventory System Supplier Creation export create_supplier csv injection

Description

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Published: 2026-06-01

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The create_supplier function in the Pharmacy Sales and Inventory System accepts the Address/Company Name parameter and writes it directly into a CSV file without sanitisation. By injecting spreadsheet‑compatible formulas such as =cmd|/, an attacker can trigger arbitrary command execution when the CSV is opened in a spreadsheet application, giving the attacker remote code execution capabilities. This flaw is a classic CSV injection vulnerability, identified as CWE‑74.

Affected Systems

SourceCodester Pharmacy Sales and Inventory System versions 1.0 and earlier are affected. The issue exists in the Supplier Creation Interface component, specifically the create_supplier function located in /Export_csv/export. Any deployment of this product that has not applied a later patch is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating medium severity. EPSS data is not available, and it is not listed in the CISA KEV catalog, but the description states that remote exploitation is possible and the exploit has been publicly disclosed. The likely attack vector is remote, relying on a malicious CSV file delivered to a user who opens it in an office application. While the risk level reflects moderate exploitation potential, the presence of a publicly known exploit warrants prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pharmacy Sales and Inventory System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pharmacy Sales And Inventory System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest version of SourceCodester Pharmacy Sales and Inventory System that addresses the CSV injection flaw.
Sanitise or escape all user‑supplied Address/Company Name values before including them in CSV output, converting characters such as =, +, -, @ and tabs to safe representations.
Restrict the export CSV feature to authenticated and authorised personnel only, and log all export operations for audit purposes.

Generated by OpenCVE AI on June 1, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/timeflies123/cve/issues/6
https://vuldb.com/cve/CVE-2026-10248
https://vuldb.com/submit/824029
https://vuldb.com/vuln/367526
https://vuldb.com/vuln/367526/cti
https://www.sourcecodester.com/

History

Mon, 01 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title		SourceCodester Pharmacy Sales and Inventory System Supplier Creation export create_supplier csv injection
First Time appeared		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
Weaknesses		CWE-1236 CWE-74
CPEs		cpe:2.3:a:sourcecodester:pharmacy_sales_and_inventory_system::::::::
Vendors & Products		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
References		https://github.com/timeflies123/cve/issues/6 https://vuldb.com/cve/CVE-2026-10248 https://vuldb.com/submit/824029 https://vuldb.com/vuln/367526 https://vuldb.com/vuln/367526/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T10:15:09.278Z

Updated: 2026-06-01T14:52:18.698Z

Reserved: 2026-05-31T10:15:20.424Z

Link: CVE-2026-10248

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-06-01T11:16:24.090

Modified: 2026-06-01T13:14:43.470

Link: CVE-2026-10248

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T12:30:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object