Description
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_product.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Patch Now
AI Analysis

Impact

The Pharmacy Point of Sale System version 1.0 contains an uncontrolled SQL injection flaw in the /pharmacy/view_product.php endpoint. An attacker who can supply crafted input directly into the SQL query can execute arbitrary database commands, potentially reading sensitive business data, modifying inventory or transaction records, or compromising the entire database. This vulnerability is classified as CWE-89 and represents a serious threat to the confidentiality and integrity of the system’s information.

Affected Systems

The affected product is Pharmacy Point of Sale System version 1.0, developed by oretnom23 and distributed via the Sourcecodester platform. No other versions or vendors are listed, so the scope is limited to this specific release.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical, while the EPSS is listed as less than 1%, indicating a low current likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. Attackers would most likely target the exposed web endpoint over the network, sending malicious payloads in HTTP requests. No special conditions beyond access to the /pharmacy/view_product.php page are required.

Generated by OpenCVE AI on April 17, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply latest vendor patch or upgrade to a fixed version of Pharmacy Point of Sale System.
  • Restrict access to the /pharmacy/view_product.php endpoint to authorized users only, using firewall rules or application‑level authentication.
  • Replace insecure string concatenation in database queries with parameterized statements or stored procedures, and validate all input before inclusion in SQL commands.
  • Audit database tables for unauthorized changes and regenerate credentials with strong passwords.

Generated by OpenCVE AI on April 17, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title Uncontrolled SQL Injection in Pharmacy Point of Sale System Allows Unauthorized Database Access

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Point Of Sale System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Point Of Sale System

Tue, 03 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 pharmacy Point Of Sale System
CPEs cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 pharmacy Point Of Sale System

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_product.php.
References

Subscriptions

Oretnom23 Pharmacy Point Of Sale System
Sourcecodester Pharmacy Point Of Sale System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T15:04:45.584Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26705

cve-icon Vulnrichment

Updated: 2026-03-03T15:04:37.529Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T18:16:26.673

Modified: 2026-03-03T15:38:33.790

Link: CVE-2026-26705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses