Description
A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw allows an attacker to manipulate the ID argument in ajax.php?action=save_user. The flaw enables execution of arbitrary SQL commands against the underlying database, potentially exposing sensitive data or modifying inventory and sales records. The vulnerability is exploitable remotely and has public proof of concept code.

Affected Systems

The vulnerability affects SourceCodester Pharmacy Sales and Inventory System version 1.0. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity of exploitation potential. Because the attack vector is remote, an adversary could target the web application without needing local access. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, so the likelihood of widespread exploitation remains uncertain. Nonetheless, the ability to alter or disclose database content warrants prompt attention.

Generated by OpenCVE AI on May 7, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify all instances of SourceCodester Pharmacy Sales and Inventory System and verify that no unauthorized PHP files or parameters remain exposed.
  • Upgrade to a patched or newer version of the application that implements parameterized queries for the save_user action; if no official patch exists, apply a custom fix that validates the ID parameter and uses safe query mechanisms.
  • Restrict database permissions for the web application account to the minimum required actions, and monitor database logs for anomalous activity.

Generated by OpenCVE AI on May 7, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Sales And Inventory System

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Title SourceCodester Pharmacy Sales and Inventory System ajax.php save_user sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-07T19:14:18.598Z

Reserved: 2026-05-07T12:15:44.368Z

Link: CVE-2026-8083

cve-icon Vulnrichment

Updated: 2026-05-07T19:14:11.569Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T19:16:02.787

Modified: 2026-05-07T19:48:55.360

Link: CVE-2026-8083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses