Description
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Fix
AI Analysis

Impact

The Pharmacy Point of Sale System v1.0 contains an SQL injection vulnerability in the "/pharmacy/manage_user.php" endpoint. Input parameters are concatenated directly into an SQL query without sanitization, allowing an attacker to inject arbitrary SQL. This can lead to unauthorized reading, modification, or deletion of data stored in the backend database, compromising the confidentiality, integrity, and availability of the application.

Affected Systems

Installations of oretnom23’s Pharmacy Point of Sale System version 1.0 are affected. No other versions are listed as impacted, and no vendor patch is available. Users running this version are exposed to the flaw.

Risk and Exploitability

The CVSS score of 9.8 classifies the flaw as critical. The EPSS score of <1% indicates a low but non‑zero exploitation probability. The vulnerability is exploitable over the network by sending crafted requests to the vulnerable endpoint; authentication is not mentioned in the description, suggesting that the endpoint may be reachable without prior authentication. Because SQL injection can result in data compromise and potential escalation to further attacks, the risk remains high despite the low exploitation probability.

Generated by OpenCVE AI on April 17, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Refactor the affected code to use parameterized queries or prepared statements in "/pharmacy/manage_user.php"
  • Enforce strict authentication and role‑based access control so that only authorized users can access the manage_user.php endpoint
  • Deploy a web application firewall or intrusion detection system tuned to block common SQL injection patterns
  • If a vendor patch is released, apply it immediately

Generated by OpenCVE AI on April 17, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in Pharmacy Point of Sale System v1.0

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Point Of Sale System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Point Of Sale System

Tue, 03 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 pharmacy Point Of Sale System
CPEs cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 pharmacy Point Of Sale System

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
References

Subscriptions

Oretnom23 Pharmacy Point Of Sale System
Sourcecodester Pharmacy Point Of Sale System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T15:01:37.598Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26708

cve-icon Vulnrichment

Updated: 2026-03-03T15:01:20.336Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:33.313

Modified: 2026-03-03T15:38:42.280

Link: CVE-2026-26708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses