Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Inventory Corruption & Denial of Service
Action: Patch Now
AI Analysis

Impact

An input‑validation flaw in SourceCodester Pharmacy Product Management System 1.0, specifically in add‑stock.php, allows the txtqty parameter to be set to negative values. Rather than increasing the inventory level, the system decreases it, corrupting stock records and potentially depleting product quantities entirely, which can block pharmacy operations. The weakness is a classic business‑logic bypass and aligns with CWE‑20 (Improper Input Validation).

Affected Systems

SourceCodester Pharmacy Product Management System, version 1.0, the add‑stock.php module is affected. No other vendors or product versions are reported.

Risk and Exploitability

The vulnerability can be exploited by any user who can reach the add‑stock endpoint; it is inferred that authentication is required but not enforced. The CVSS score of 7.5 indicates high severity. EPSS data are not available, so exploit probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The lack of input validation means an attacker could repeatedly inject negative quantities to drain inventory, leading to operational disruption.

Generated by OpenCVE AI on March 27, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate the txtqty parameter server‑side, accepting only non‑negative integers.
  • Reject zero or negative values before database insertion.
  • Add a database constraint to prevent negative stock levels.
  • Audit other business‑logic endpoints for similar validation gaps.
  • Monitor transaction logs for abnormal stock adjustments and alert on suspicious activity.

Generated by OpenCVE AI on March 27, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Negative Quantity Stock Depletion Vulnerability in Pharmacy Product Management System

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Negative Quantity Stock Depletion Vulnerability in Pharmacy Product Management System

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
CWE-20
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T19:00:29.848Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30575

cve-icon Vulnrichment

Updated: 2026-03-27T18:59:49.944Z

cve-icon NVD

Status : Received

Published: 2026-03-27T17:16:28.947

Modified: 2026-03-27T20:16:29.333

Link: CVE-2026-30575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:27:38Z

Weaknesses