CVE-2026-10255 - Vulnerability Details

- SourceCodester Pharmacy Sales and Inventory System ShowForm.php sell_statement access control

Description

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-06-01

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A weakness in the sell_statement function of SourceCodester Pharmacy Sales and Inventory System allows improper access controls, giving an attacker the ability to view sales statements that should be restricted to authorized users. The CVE description confirms that the issue can be exploited remotely, and the referenced CWE identifiers indicate an authorization bypass and improper access control flaw.

Affected Systems

SourceCodester Pharmacy Sales and Inventory System version 1.0 is affected. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 6.9 places this vulnerability in the medium severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can launch the exploit remotely, potentially exposing confidential sales data and creating a foothold for further attacks if additional sensitive areas are accessible. While the impact is not critical, the ability to bypass access controls over a public endpoint warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pharmacy Sales and Inventory System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pharmacy Sales And Inventory System

95%

Version	Status	Scheme	Platform
`[1.0,1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement proper authentication and role-based authorization checks in the sell_statement function to ensure only privileged users can access sales statements.
Apply any vendor‑supplied patch or update released for Pharmacy Sales and Inventory System that addresses the access control issue as soon as it becomes available.
If no patch exists, modify the application logic to explicitly verify the user’s session and role before generating the sales report, or restrict the endpoint to authenticated users only.
As a temporary safety measure, restrict web access to application/controllers/ShowForm.php via .htaccess or move it outside the web‑root until the flaw is corrected.

Generated by OpenCVE AI on June 1, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/timeflies123/cve/issues/7
https://vuldb.com/cve/CVE-2026-10255
https://vuldb.com/submit/824148
https://vuldb.com/vuln/367533
https://vuldb.com/vuln/367533/cti
https://www.sourcecodester.com/

History

Mon, 01 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Title		SourceCodester Pharmacy Sales and Inventory System ShowForm.php sell_statement access control
First Time appeared		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
Weaknesses		CWE-266 CWE-284
CPEs		cpe:2.3:a:sourcecodester:pharmacy_sales_and_inventory_system::::::::
Vendors & Products		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
References		https://github.com/timeflies123/cve/issues/7 https://vuldb.com/cve/CVE-2026-10255 https://vuldb.com/submit/824148 https://vuldb.com/vuln/367533 https://vuldb.com/vuln/367533/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T12:00:07.625Z

Updated: 2026-06-01T12:00:07.625Z

Reserved: 2026-05-31T12:32:01.559Z

Link: CVE-2026-10255

Vulnrichment

Updated: 2026-06-01T14:58:02.473Z

NVD

Status : Deferred

Published: 2026-06-01T13:16:29.717

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10255

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T14:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object