Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters during stock entry, allowing negative financial values to be submitted. This leads to corruption of financial records, allowing attackers to manipulate inventory asset values and procurement costs.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Financial Record Manipulation
Action: Apply Fix
AI Analysis

Impact

A business logic flaw in the add‑stock.php module of Web‑Based Pharmacy Product Management System version 1.0 allows the application to accept negative values for the txtprice and txttotalcost fields without validation. The unchecked negative numbers corrupt financial records, enabling an attacker to artificially lower inventory asset values and procurement costs, thereby skewing reported financial statements and potentially stealing value from the organization. This weakness maps to CWE‑20 (Input Validation).

Affected Systems

The vulnerability exists in SourceCodester Pharmacy Product Management System 1.0, a PHP‑based web application that manages pharmacy inventory. No specific vendor is listed in the CNA data, but the application is identified by the CPE string for senior‑walter:web‑based_pharmacy_product_management_system 1.0.

Risk and Exploitability

With a CVSS score of 7.5 the risk level is medium‑high. The EPSS score of less than 1% indicates a low likelihood that existing exploit code is available in the wild. The vulnerability is not in the CISA KEV catalog. The most likely attack vector is via the web interface that handles stock entries, and it probably requires administrative privileges to access add‑stock.php. Once accessed, an attacker can submit negative numeric values to corrupt the system’s financial data.

Generated by OpenCVE AI on March 31, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the add‑stock.php code to enforce server‑side validation that txtprice and txttotalcost are positive numeric values
  • Enforce authentication and restrict add‑stock.php access to administrators only
  • Audit the database for existing negative entries and correct financial records
  • Implement logging and monitor for abnormal stock entry attempts

Generated by OpenCVE AI on March 31, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Business Logic Vulnerability Allowing Negative Financial Values in Web‑Based Pharmacy Product Management System

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Senior-walter
Senior-walter web-based Pharmacy Product Management System
CPEs cpe:2.3:a:senior-walter:web-based_pharmacy_product_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Senior-walter
Senior-walter web-based Pharmacy Product Management System

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Product Management System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Product Management System

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Negative Financial Values Allowing Inventory Asset Manipulation in SourceCodester Pharmacy Product Management System 1.0

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Negative Financial Values Allowing Inventory Asset Manipulation in SourceCodester Pharmacy Product Management System 1.0

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters during stock entry, allowing negative financial values to be submitted. This leads to corruption of financial records, allowing attackers to manipulate inventory asset values and procurement costs.
References

Subscriptions

Senior-walter Web-based Pharmacy Product Management System
Sourcecodester Pharmacy Product Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T19:06:50.950Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30576

cve-icon Vulnrichment

Updated: 2026-03-27T19:05:50.412Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:29.057

Modified: 2026-03-31T16:14:39.967

Link: CVE-2026-30576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:22Z

Weaknesses