CVE-2026-7282 - Vulnerability Details

- SourceCodester Pharmacy Sales and Inventory System ajax.php delete_expired sql injection

Description

A vulnerability was identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function delete_expired of the file /ajax.php?action=delete_expired. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Published: 2026-04-28

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists in the delete_expired function of the pharmacy inventory system. By supplying a crafted value for the ID parameter, a remote attacker can inject arbitrary SQL statements into the query executed by the server. This enables the exploitation of code injection and SQL injection weaknesses (CWE‑74 and CWE‑89). The attack can compromise the confidentiality and integrity of the underlying database, potentially allowing data exfiltration, modification, or deletion.

Affected Systems

SourceCodester Pharmacy Sales and Inventory System version 1.0 is affected by this vulnerability. The issue resides in the /ajax.php file when the action delete_expired is requested.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability represents a medium severity risk. The EPSS score is not available, but a publicly available exploit has been documented, indicating that remote attackers could successfully leverage the flaw. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pharmacy Sales and Inventory System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pharmacy Sales And Inventory System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑supplied patch or upgrade to a revised version of the Pharmacy Sales and Inventory System that contains the fix for the delete_expired SQL injection.
If a patch is not yet available, sanitize the ID input on the server side and use prepared statements or parameterized queries to eliminate SQL injection possibilities.
Restrict access to the delete_expired functionality by enforcing authentication and role‑based permissions so that only authorized administrative users can invoke it.
Enable database account least‑privilege by configuring the application’s database user with only the permissions required for normal operation.

Generated by OpenCVE AI on April 28, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/CDipper/CVE-Test/issues/2
https://vuldb.com/submit/803018
https://vuldb.com/vuln/359940
https://vuldb.com/vuln/359940/cti
https://www.sourcecodester.com/

History

Tue, 28 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
Vendors & Products		Sourcecodester Sourcecodester pharmacy Sales And Inventory System

Tue, 28 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function delete_expired of the file /ajax.php?action=delete_expired. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Title		SourceCodester Pharmacy Sales and Inventory System ajax.php delete_expired sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/CDipper/CVE-Test/issues/2 https://vuldb.com/submit/803018 https://vuldb.com/vuln/359940 https://vuldb.com/vuln/359940/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-28T13:30:17.479Z

Updated: 2026-04-28T15:21:54.337Z

Reserved: 2026-04-28T08:02:01.750Z

Link: CVE-2026-7282

Vulnrichment

Updated: 2026-04-28T15:21:50.834Z

NVD

Status : Deferred

Published: 2026-04-28T15:16:36.673

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7282

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object