Description
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_category.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection capable of arbitrary data manipulation
Action: Patch Immediately
AI Analysis

Impact

Based on the description, it is inferred that the flaw originates from insufficient sanitization of user supplied parameters. The Pharmacy Point of Sale System version 1.0 contains a classic SQL Injection flaw in the /pharmacy/view_category.php script due to insufficient sanitization of user supplied parameters. An attacker can inject malicious SQL code that is passed directly to the database engine, allowing read, update, delete, or even schema-altering operations on the underlying datastore. The vulnerability can lead to data exposure, integrity compromise, and potentially give the attacker full control over the application database.

Affected Systems

The affected product is Pharmacy Point of Sale System, version 1.0, owned by vendor oretnom23 as indicated by the CPE entry. The vulnerability resides in the publicly accessible PHP script /pharmacy/view_category.php and affects all installations running this specific version without an applied fix.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is remote via the web interface and that the vulnerable endpoint is publicly accessible. The CVSS score of 9.8 marks this flaw as critical, while the EPSS score of less than 1% suggests that exploitation likelihood is currently very low. The system is not listed in the CISA KEV catalog. However, the attacker can reach the vulnerable endpoint without authentication, making the risk of exploitation primarily opportunistic but high impact once achieved.

Generated by OpenCVE AI on April 17, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a patched release if available
  • Restrict direct access to /pharmacy/view_category.php to authenticated users or specific IP ranges
  • Refactor the application to use prepared statements or parameterized queries to eliminate unsanitized input
  • Monitor web application logs for anomalous query parameters and database errors

Generated by OpenCVE AI on April 17, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Point Of Sale System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Point Of Sale System

Tue, 03 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 pharmacy Point Of Sale System
CPEs cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 pharmacy Point Of Sale System

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_category.php.
References

Subscriptions

Oretnom23 Pharmacy Point Of Sale System
Sourcecodester Pharmacy Point Of Sale System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T15:03:30.356Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26704

cve-icon Vulnrichment

Updated: 2026-03-03T15:03:23.934Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T18:16:26.553

Modified: 2026-03-03T15:38:37.817

Link: CVE-2026-26704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses