CVE-2026-7281 - Vulnerability Details

- SourceCodester Pharmacy Sales and Inventory System index.php supplier cross site scripting

Description

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function supplier of the file /index.php?page=supplier. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Published: 2026-04-28

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Pharmacy Sales and Inventory System allows an attacker to inject and execute arbitrary client‑side script by supplying a crafted Name value to the /index.php?page=supplier endpoint. The server fails to properly sanitize or encode the input, resulting in a classic reflected cross‑site scripting vulnerability (CWE‑79). When this is triggered by a remote user, the injected code runs inside the browser context of any user who visits the affected page, giving the attacker the ability to manipulate the page or run arbitrary JavaScript.

Affected Systems

The vulnerability is reported only for version 1.0 of SourceCodester Pharmacy Sales and Inventory System. No other versions or editions were identified as affected in the available data.

Risk and Exploitability

The CVSS score of 4.8 classifies the issue as moderate severity. No EPSS score is published and the flaw is not listed in CISA’s KEV catalog, indicating no confirmed exploitation to date. The entry can be reached over the public Internet via an HTTP request to /index.php?page=supplier with a specially crafted Name parameter – an entirely remote attack surface. If successfully exploited, the vulnerable code will execute on the browser of any user who loads the page, which may lead to malicious client‑side actions but no direct changes to the underlying system are described in the CVE description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pharmacy Sales and Inventory System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pharmacy Sales And Inventory System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑provided patch or newer release of Pharmacy Sales and Inventory System that corrects the XSS flaw.
Sanitize or encode all data from the Name parameter on the server side before it is included in the HTML response.
Implement a Content Security Policy that disallows inline scripts and limits script execution to trusted sources.

Generated by OpenCVE AI on April 28, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/CDipper/CVE-Test/issues/3
https://vuldb.com/submit/803017
https://vuldb.com/vuln/359939
https://vuldb.com/vuln/359939/cti
https://www.sourcecodester.com/

History

Tue, 28 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
Vendors & Products		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function supplier of the file /index.php?page=supplier. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title		SourceCodester Pharmacy Sales and Inventory System index.php supplier cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/CDipper/CVE-Test/issues/3 https://vuldb.com/submit/803017 https://vuldb.com/vuln/359939 https://vuldb.com/vuln/359939/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-28T13:15:11.519Z

Updated: 2026-04-28T14:33:24.195Z

Reserved: 2026-04-28T08:01:56.597Z

Link: CVE-2026-7281

Vulnrichment

Updated: 2026-04-28T14:10:26.476Z

NVD

Status : Deferred

Published: 2026-04-28T14:16:15.247

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7281

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T23:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object