CVE-2026-10244: SourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the medicine name creation function. An authenticated user can inject malicious script code through the medicine_name parameter, which executes in the context of other users' browsers. The vulnerability requires user interaction (clicking a link or visiting a page) to trigger, and an attacker must have valid login credentials to exploit it. Public exploits are now available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function create_medicine_name of the file /ShowForm/create_medicine_name/main. Performing a manipulation of the argument medicine_name results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10244 is a reflected/stored XSS vulnerability (CWE-79, CWE-94) in the create_medicine_name function of SourceCodester Pharmacy Sales and Inventory System 1.0. The vulnerable endpoint is /ShowForm/create_medicine_name/main. The medicine_name parameter is not properly sanitized or encoded before being rendered in the HTML response, allowing an authenticated attacker to inject arbitrary JavaScript. The CVSS v3.1 score of 3.5 (LOW) reflects that exploitation requires valid credentials (PR:L) and user interaction (UI:R), with impact limited to integrity (I:L) and no confidentiality or availability loss.
Business impact
Organizations deploying this pharmacy system are exposed to targeted attacks by internal users or compromised accounts. An attacker with valid credentials could deface medicine records, harvest session tokens from other staff members, or redirect pharmacy staff to malicious sites during critical inventory operations. While the attack surface is limited to authenticated users, the healthcare context amplifies reputational and compliance risks, especially if patient data is displayed alongside manipulated medicine entries.
Affected systems
SourceCodester Pharmacy Sales and Inventory System version 1.0 is affected. No patch version information is provided in available advisories; users should verify directly with the vendor or check the project repository for available updates or security patches.
Exploitability
Exploitation is feasible but requires two preconditions: valid login credentials and user interaction (victim must visit a crafted link or page containing the payload). The remote nature (AV:N) and low complexity (AC:L) make it easy to deliver once an attacker has authentication. Public exploit code is now available, reducing the barrier to entry for attackers with compromised credentials or insider threats.
Remediation
Immediately check with SourceCodester for a patched version or security update. In the interim, implement strong access controls limiting who can create or edit medicine entries, enforce Content Security Policy (CSP) headers to block inline script execution, and monitor for suspicious medicine_name submissions containing script tags or encoded payloads. Consider input validation and output encoding at the application level if patches are delayed.
Patch guidance
Contact SourceCodester or visit their project repository to determine if a patched version of the Pharmacy Sales and Inventory System is available. Apply any security update as soon as feasible. If no patch is currently available, request a timeline from the vendor and implement compensating controls (CSP, WAF rules) to reduce risk during the interim period.
Detection guidance
Monitor access logs for requests to /ShowForm/create_medicine_name/main with unusual characters in the medicine_name parameter, such as <, >, script, onerror, onclick, or URL-encoded variants thereof. Web application firewalls should flag requests containing HTML/JavaScript payloads in form fields. Review pharmacy staff activity for creation of suspicious medicine entries, particularly those with embedded scripts or obfuscated content. Log and alert on any outbound requests initiated from the pharmacy system to external domains.
Why prioritize this
Although the CVSS score is LOW, prioritize patching because: (1) public exploits reduce time-to-weaponization; (2) healthcare systems face elevated regulatory scrutiny; (3) authenticated insider threats are a known risk vector; (4) the pharmacy domain handles sensitive inventory and patient data. Organizations with strict access controls and lower insider-threat profiles may delay remediation slightly, but should still schedule patching within 30 days.
Risk score, explained
The CVSS 3.5 (LOW) reflects limited direct impact: integrity only, no confidentiality or availability loss, requires authentication and user interaction. However, context matters—a pharmacy system in a healthcare facility carries higher business risk than the base score alone suggests. The availability of public exploits raises practical risk, warranting active monitoring and timely patching despite the low numeric severity.
Frequently asked questions
Does this vulnerability affect patient data directly?
The XSS vulnerability affects the integrity of medicine records and could be used to harvest staff credentials or session tokens. While direct patient data exposure depends on how the pharmacy system integrates with broader EHR systems, the risk of lateral movement and credential theft warrants urgent attention in healthcare environments.
Can an attacker exploit this without valid credentials?
No. The CVSS vector indicates PR:L (privileges required: low), meaning an authenticated user account is necessary. Attackers must either have legitimate credentials, compromise an existing user account, or leverage an insider threat. This significantly limits the attack surface compared to unauthenticated XSS vulnerabilities.
What should we do if no patch is available yet?
Implement Content Security Policy (CSP) headers with script-src 'self' to prevent inline JavaScript execution, deploy a Web Application Firewall (WAF) to filter requests containing script payloads, enforce strong access controls and multi-factor authentication for pharmacy system access, and monitor all medicine_name submissions for suspicious content.
Is this vulnerability tracked in the CISA KEV catalog?
No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, public exploits are available, so treat it as actively exploitable. CISA listing status can change; continue to monitor official advisories.
This analysis is provided for informational and defensive purposes. SEC.co does not provide exploit code, weaponized proof-of-concept steps, or guidance for malicious use. Organizations should validate all technical details against official vendor advisories and apply patches only after testing in non-production environments. CVSS scores and threat assessments are current as of the publication date and may change as new information becomes available. Consult with your security team and legal/compliance stakeholders before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0
- CVE-2026-10529LOWwestboy CicadasCMS XSS in Task Scheduling Module