Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for sales transactions. This leads to incorrect financial calculations, corruption of sales reports, and potential financial loss.
Published: 2026-04-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Financial Loss Due to Invalid Negative Pricing
Action: Immediate Fix
AI Analysis

Impact

The application does not check the values of the "txtprice" and "txttotalcost" fields in add-sales.php, allowing a user to submit negative numbers. This causes the system to record sales transactions with negative amounts, which in turn corrupts sales totals, inventory accounting, and revenue reports. The vulnerability is a business‑logic flaw that can lead to a monetary loss for the business and defeat the integrity of financial data.

Affected Systems

The flaw exists in the SourceCodester Pharmacy Product Management System version 1.0. Any deployment of this product that uses the add‑sales module is vulnerable, as the system can accept unvalidated input when performing sales entries.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high‑severity vulnerability, while the EPSS score of less than 1% implies the likelihood of exploitation is currently low. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires access to the add‑sales form, which is typically available to authenticated staff users; hence the attack vector is application‑layer input manipulation. An attacker can submit crafted form data with negative prices and costs, leading to incorrect financial calculations and potential fraud.

Generated by OpenCVE AI on April 7, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate all numeric inputs on the server side to reject negative, zero, or otherwise invalid values
  • Update to the latest release of the Pharmacy Product Management System if a patch is available
  • If no patch exists, modify the add-sales.php logic to enforce a positive price and cost before processing
  • Review and test other business‑logic paths that may have similar input validation omissions
  • Monitor financial reports for anomalies and audit transaction logs for suspicious entries

Generated by OpenCVE AI on April 7, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Negative Pricing in Pharmacy Sales Leads to Financial Loss

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Senior-walter
Senior-walter web-based Pharmacy Product Management System
CPEs cpe:2.3:a:senior-walter:web-based_pharmacy_product_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Senior-walter
Senior-walter web-based Pharmacy Product Management System

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester web-based Pharmacy Product Management System
Vendors & Products Sourcecodester
Sourcecodester web-based Pharmacy Product Management System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Negative Pricing in Pharmacy Sales Leads to Financial Loss

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for sales transactions. This leads to incorrect financial calculations, corruption of sales reports, and potential financial loss.
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Senior-walter Web-based Pharmacy Product Management System
Sourcecodester Web-based Pharmacy Product Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T17:52:39.630Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30573

cve-icon Vulnrichment

Updated: 2026-04-01T17:49:29.409Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T15:22:59.387

Modified: 2026-04-07T12:06:55.873

Link: CVE-2026-30573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:58Z

Weaknesses