Description
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Published: 2026-05-08
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Pharmacy Sales and Inventory System that allows an attacker to inject malicious script payloads into the Name field used by the /index.php?page=users endpoint. The flaw can lead to client‑side execution of arbitrary code when a user views the affected page, potentially enabling credential theft, defacement, or further exploitation from the victim’s browser. The weakness is an input validation flaw (CWE‑79) coupled with an untrusted eval usage (CWE‑94).

Affected Systems

SourceCodester Pharmacy Sales and Inventory System version 1.0 is vulnerable through the index.php page handling the users module. No other versions or products are currently documented as affected.

Risk and Exploitability

The CVSS base score of 4.8 denotes moderate severity, and the lack of an EPSS value implies no publicly confirmed exploit prevalence. The vulnerability is not present in the CISA KEV catalog. An attacker can trigger the flaw remotely by crafting a request to /index.php?page=users with a malicious Name parameter, then persuading or tricking an authenticated or public user to view the response. The impact is limited to client browsers; an isolation of the vulnerability to the user interface reduces system‑wide compromise unless the user follows advanced stages of an XSS chain.

Generated by OpenCVE AI on May 8, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pharmacy Sales and Inventory System to the latest released version where the Name input is properly sanitized and no eval is performed on user data.
  • In absence of a patch, employ input validation to restrict the Name field to alphanumeric characters and strip out script tags before rendering it in the page.
  • Configure the web server or application firewall to block requests containing <script> tags or other forged code in the Name query parameter.

Generated by OpenCVE AI on May 8, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pharmacy Sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester pharmacy Sales And Inventory System

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Title SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pharmacy Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T03:45:08.503Z

Reserved: 2026-05-07T17:55:22.583Z

Link: CVE-2026-8136

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:26.940

Modified: 2026-05-08T04:16:26.940

Link: CVE-2026-8136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses