Description
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php.
Published: 2026-03-03
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply patch
AI Analysis

Impact

The Sourcecodester Pharmacy Point of Sale System version 1.0 contains an SQL Injection vulnerability in the manage_supplier.php handler. An attacker can supply specially crafted input that is interpolated directly into database queries, allowing unauthorized read or modification of supplier records. This flaw may enable data disclosure, tampering, or the execution of arbitrary SQL commands, potentially compromising the integrity of the transaction database.

Affected Systems

The affected product is Sourcecodester Pharmacy Point of Sale System, version 1.0. No additional vendor or product variants are listed.

Risk and Exploitability

The CVSS score is 2.7, indicating low severity, and the EPSS score is below 1%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is externally accessible, since the flaw exists in a publicly reachable web endpoint. An attacker would need to craft an HTTP request containing malicious input to the /pharmacy/manage_supplier.php script. Because the database credentials used by the application likely have standard privileges, the impact might be limited to data read/write, but unpatched systems remain at risk.

Generated by OpenCVE AI on April 17, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched version of the Pharmacy Point of Sale System if the vendor releases an official fix.
  • Modify the /pharmacy/manage_supplier.php script to use parameterized queries or prepared statements, ensuring that user-supplied data cannot alter SQL command structure.
  • Sanitize and validate all input fields according to the principle of least privilege, allowing only expected data types and lengths, and rejecting or escaping special characters.
  • Enforce least privilege on the database user by restricting its rights to only necessary operations.

Generated by OpenCVE AI on April 17, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Sourcecodester Pharmacy Point of Sale System

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Point Of Sale System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Point Of Sale System

Wed, 04 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 pharmacy Point Of Sale System
CPEs cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 pharmacy Point Of Sale System

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php.
References

Subscriptions

Oretnom23 Pharmacy Point Of Sale System
Sourcecodester Pharmacy Point Of Sale System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T20:36:18.642Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26887

cve-icon Vulnrichment

Updated: 2026-03-03T20:28:49.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T20:16:48.770

Modified: 2026-03-04T04:00:11.190

Link: CVE-2026-26887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses