Description
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-04-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the save_supplier function of /ajax.php and allows an attacker to manipulate the ID parameter to inject arbitrary SQL statements into the backend. By executing these statements, an attacker could potentially read, modify, or delete data stored in the database, thereby compromising the confidentiality, integrity, and availability of the pharmacy’s information system.

Affected Systems

SourceCodester Pharmacy Sales and Inventory System version 1.0 is affected. No other versions or vendors are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA KEV. Since remote exploitation is feasible via HTTP and an exploit is already published, the risk remains significant for anyone with network access to the application.

Generated by OpenCVE AI on April 30, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy an updated version of the Pharmacy Sales and Inventory System if a vendor patch is available
  • Sanitize and validate the ID parameter on the server side before including it in SQL statements
  • Configure the database account used by the application with the least privileges, ensuring write access is limited to necessary tables

Generated by OpenCVE AI on April 30, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Sales And Inventory System

Wed, 29 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title SourceCodester Pharmacy Sales and Inventory System ajax.php save_supplier sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T16:15:12.615Z

Reserved: 2026-04-29T09:37:19.401Z

Link: CVE-2026-7391

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-29T17:16:41.787

Modified: 2026-04-29T21:16:21.590

Link: CVE-2026-7391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:00:15Z

Weaknesses