Description
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected)
Action: Apply Patch
AI Analysis

Impact

The vulnerability permits reflected cross‑Site Scripting through manipulation of the ID parameter in /index.php?page=types. An attacker can embed malicious JavaScript directly in the URL; the application echoes the value in the page without sanitization. When a user visits the crafted link, the script runs in the victim’s browser, enabling data theft, session hijacking, or defacement. This flaw is client‑side and does not grant remote code execution on the server.

Affected Systems

SourceCodester Pharmacy Sales and Inventory System 1.0, running on an unspecified platform.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. EPSS information is not available, and the issue is not listed in CISA's Known Exploited Vulnerabilities catalog. The flaw can be triggered remotely via a typical HTTP GET request; the attacker only needs to supply a malicious ID string. An exploit remains publicly available, so the risk of exploitation is considered low to moderate.

Generated by OpenCVE AI on April 28, 2026 at 12:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or upgrade to a version where the XSS flaw is fixed
  • Sanitize or perform output encoding on the ID parameter before it is incorporated into any page content
  • Configure the web server to send X‑XSS‑Protection or Content‑Security‑Policy headers to reduce the impact of reflected XSS

Generated by OpenCVE AI on April 28, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Sales And Inventory System

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T13:15:12.225Z

Reserved: 2026-04-27T13:52:07.674Z

Link: CVE-2026-7200

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T00:16:27.170

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:45:31Z

Weaknesses