Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Overselling and Inventory Drain
Action: Validate Input
AI Analysis

Impact

The vulnerability is a business logic flaw in the SourceCodester Pharmacy Product Management System where the add-sales.php script does not verify that the quantity requested by the customer does not exceed the stock available. This allows an attacker to alter the txtqty parameter in a request and purchase far more units than exist, resulting in inventory shortfall, potential financial loss and customer dissatisfaction. The flaw is a direct application of Business Logic Error (CWE-841).

Affected Systems

The flaw affects the SourceCodester Pharmacy Product Management System, version 1.0. As described, the product name is Web-based Pharmacy Product Management System. The CPE indicates version 1.0, so any instance deploying this exact build is vulnerable unless patched.

Risk and Exploitability

The CVSS score of 7.5 places the vulnerability in the high severity range. However, the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, achievable through manipulation of the HTTP request to add-sales.php by any user who can submit a sales form. The impact could be significant for businesses relying on accurate inventory counts and revenue reporting.

Generated by OpenCVE AI on March 31, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement server‑side validation to ensure the sale quantity does not exceed available stock before recording the transaction.
  • Patch or update the add‑sales.php file to include the stock check, or apply any vendor‑issued security patch if released.
  • Block or throttle requests that submit unusually large quantities using a web application firewall or custom rules.
  • Monitor sales logs for anomalies and verify inventory integrity regularly.
  • If a patch is not yet available, restrict user access to the sales submission form until a fix is deployed.

Generated by OpenCVE AI on March 31, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Business Logic Overselling in Pharmacy Product Management System

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Senior-walter
Senior-walter web-based Pharmacy Product Management System
CPEs cpe:2.3:a:senior-walter:web-based_pharmacy_product_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Senior-walter
Senior-walter web-based Pharmacy Product Management System

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Title Business Logic Overselling in Pharmacy Product Management System
First Time appeared Sourcecodester
Sourcecodester pharmacy Product Management System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Product Management System

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Business Logic Overselling in SourceCodester Pharmacy Product Management System 1.0
Weaknesses CWE-20

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Business Logic Overselling in SourceCodester Pharmacy Product Management System 1.0
Weaknesses CWE-20

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-841
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock.
References

Subscriptions

Senior-walter Web-based Pharmacy Product Management System
Sourcecodester Pharmacy Product Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T19:09:43.443Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30574

cve-icon Vulnrichment

Updated: 2026-03-27T19:08:03.012Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:28.823

Modified: 2026-03-31T18:03:28.640

Link: CVE-2026-30574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:23Z

Weaknesses