CVE-2026-7390 - Vulnerability Details

- SourceCodester Pharmacy Sales and Inventory System index.php customer cross site scripting

Description

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

Published: 2026-04-29

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the Customer function of the index.php page of SourceCodester Pharmacy Sales and Inventory System 1.0. By injecting malicious code into the Name argument, an attacker can trigger an XSS payload that runs in the context of the victim’s browser. This allows the attacker to steal authentication cookies, hijack user sessions, or load additional malware. The vulnerability does not provide direct access to the underlying server logic, but it gives an attacker the ability to manipulate the browser environment of legitimate users.

Affected Systems

SourceCodester Pharmacy Sales and Inventory System version 1.0 is affected. The vulnerability resides in the Customer function accessed via /index.php?page=customer.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as moderate; the EPSS score is not available, and it is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability remotely by sending a crafted request containing a malicious Name parameter. Because the exploit is publicly available, networks that host the application should expect attempts to inject the payload and attempt to steal user credentials or deface the site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pharmacy Sales and Inventory System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pharmacy Sales And Inventory System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update SourceCodester Pharmacy Sales and Inventory System to the latest available release that fixes the XSS issue.
Ensure that the Name input is properly validated and HTML‑escaped before rendering it back to users.
Deploy a Content Security Policy that disallows inline scripts and limits the sources from which scripts can be loaded.

Generated by OpenCVE AI on April 29, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/microwaveabi/vul/issues/4
https://vuldb.com/submit/803105
https://vuldb.com/vuln/360115
https://vuldb.com/vuln/360115/cti
https://www.sourcecodester.com/

History

Wed, 29 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester pharmacy Sales And Inventory System
Vendors & Products		Sourcecodester Sourcecodester pharmacy Sales And Inventory System

Wed, 29 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Title		SourceCodester Pharmacy Sales and Inventory System index.php customer cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/microwaveabi/vul/issues/4 https://vuldb.com/submit/803105 https://vuldb.com/vuln/360115 https://vuldb.com/vuln/360115/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-29T15:45:11.636Z

Updated: 2026-04-29T17:11:49.240Z

Reserved: 2026-04-29T09:37:15.508Z

Link: CVE-2026-7390

Vulnrichment

Updated: 2026-04-29T17:11:32.235Z

NVD

Status : Deferred

Published: 2026-04-29T16:16:29.857

Modified: 2026-04-29T21:16:21.590

Link: CVE-2026-7390

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T21:30:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object