Description
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php.
Published: 2026-03-03
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic SQL Injection flaw in the Pharmacy Point of Sale System, allowing an attacker to manipulate the SQL query performed through /pharmacy/manage_category.php. This injection could provide the attacker with the ability to read, modify, or delete data from the underlying database, potentially compromising the confidentiality and integrity of sensitive business information. The flaw is classified as CWE‑89, a direct consequence of unsanitized input reaching the database layer.

Affected Systems

The affected system is the Sourcecodester Pharmacy Point of Sale System version 1.0. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score for this vulnerability is 2.7, indicating low overall severity. The EPSS score is less than 1 %, suggesting a very low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. Attackers are most likely to exploit this flaw by sending crafted requests to the /pharmacy/manage_category.php endpoint over the web. While the risk is comparatively low, the impact of successful exploitation could be significant to the affected business.

Generated by OpenCVE AI on April 17, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately check for and apply any vendor‑supplied update or patch for the Pharmacy Point of Sale System; if none exists, plan to upgrade to a newer, patched release.
  • Revise the code at /pharmacy/manage_category.php to eliminate direct query concatenation by using parameterized statements or prepared queries, ensuring all user inputs are properly sanitized.
  • Restrict access to the manage category endpoint by enforcing authentication, role‑based access control, and, if possible, network filtering or a web application firewall to block or rate‑limit suspicious requests.

Generated by OpenCVE AI on April 17, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Sourcecodester Pharmacy Point of Sale System 1.0

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Point Of Sale System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Point Of Sale System

Wed, 04 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 pharmacy Point Of Sale System
CPEs cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 pharmacy Point Of Sale System

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php.
References

Subscriptions

Oretnom23 Pharmacy Point Of Sale System
Sourcecodester Pharmacy Point Of Sale System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T20:27:38.630Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26889

cve-icon Vulnrichment

Updated: 2026-03-03T20:27:20.621Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T20:16:48.993

Modified: 2026-03-04T03:58:04.713

Link: CVE-2026-26889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses