LOW 3.5

CVE-2026-10245: Stored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0

SourceCodester Pharmacy Sales and Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its supplier creation functionality. An authenticated user can inject malicious code through the company name field when creating a supplier record. This code executes in the browsers of other users who view the supplier information, potentially allowing attackers to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on their behalf. Public exploits for this vulnerability are already available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the create_supplier function of the /ShowForm/create_supplier/main endpoint. The company_name parameter is not properly sanitized or encoded before being stored and rendered to end users. This classic stored XSS flaw allows an authenticated attacker to inject JavaScript that persists in the application database. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code). The attack requires valid user credentials and user interaction (opening the affected supplier record), but the remote, network-accessible nature of the web application means any authenticated user in the system poses a risk.

Business impact

While the CVSS score is rated low, the business impact should not be underestimated. An internal attacker or compromised user account can manipulate the pharmaceutical inventory system to steal staff credentials, redirect pharmacy staff to fake login pages, or inject malware onto employee workstations. In a healthcare context, disruption to inventory management—even temporary—creates patient safety risks and operational delays. Regulatory compliance frameworks (HIPAA, if patient data flows through the system) may classify unauthorized data access or system manipulation as a reportable incident.

Affected systems

SourceCodester Pharmacy Sales and Inventory System version 1.0 is explicitly affected. This is a relatively specialized application used in independent and small-chain pharmacy operations. Deployments are typically on-premises or hosted in smaller cloud environments. Organizations running this system should inventory all installations and prioritize those handling sensitive patient or financial data.

Exploitability

Exploitability is moderate but not trivial. The attack requires valid credentials (unauthenticated attacks are not possible), and successful exploitation depends on another user viewing the poisoned supplier record. Public exploits are available, which lowers the technical barrier for attackers with internal or compromised-account access. The attack is straightforward to execute—no advanced exploitation techniques are required. The primary limiting factor is that the attacker must already be inside the system as a legitimate user.

Remediation

The immediate remediation is to update SourceCodester Pharmacy Sales and Inventory System to a patched version released after June 2026. Verify the exact patch version against the SourceCodester advisory. Until a patch is available, mitigate the risk by: (1) restricting access to supplier creation functions to trusted administrators only; (2) implementing a Web Application Firewall (WAF) rule to block script tags and common XSS payloads in the company_name parameter; (3) enforcing output encoding on the front-end display of supplier information; (4) conducting user access reviews to remove unnecessary elevated privileges.

Patch guidance

Contact SourceCodester directly or check their support portal for patch availability. Given that this vulnerability was published on June 1, 2026 and modified on June 17, 2026, patches may be staged. Apply patches in a controlled test environment first to validate compatibility with your pharmacy workflows. If the vendor has not released a patch, escalate to SourceCodester's security team for an expected timeline.

Detection guidance

Monitor application logs for supplier creation events, particularly those with unusual characters or HTML/script tags in the company_name field (look for <, >, script, onerror, onload, etc.). Use Security Information and Event Management (SIEM) tools to correlate these events with subsequent user activity. Review supplier records in the database for stored XSS payloads using regular expressions that match common script injection patterns. Endpoint detection and response (EDR) tools on pharmacy staff workstations should flag unexpected script execution or credential harvesting related to the Pharmacy Sales and Inventory System application.

Why prioritize this

Although the CVSS score is 3.5 (LOW), this vulnerability deserves prompt attention because: (1) exploits are publicly available, eliminating the window provided by zero-day embargoes; (2) the application manages critical healthcare inventory data; (3) any authenticated user can be the attacker, including disgruntled staff or those with compromised credentials; (4) successful exploitation can cascade to credential theft or lateral movement within the network. For healthcare organizations, regulatory reporting obligations may be triggered if patient data is accessed through the compromised session.

Risk score, explained

The CVSS 3.1 score of 3.5 reflects the attack vector (network-based, remotely accessible), low attack complexity, and requirement for low privileges (authenticated user). However, the score does not account for the healthcare sector context, public exploit availability, or the integrity impact on system data trustworthiness. Organizations should apply a contextual uplift to this score if the Pharmacy Sales and Inventory System stores, processes, or transmits protected health information (PHI).

Frequently asked questions

Do we need to patch immediately if we have strong access controls on this application?

No, but patching should be scheduled within 30 days. In the interim, restricting supplier management to 2–3 trusted administrators significantly reduces attack surface. However, as exploits are public and your workforce may change, patching eliminates the vulnerability entirely rather than relying on access control to prevent abuse.

Can a user outside the pharmacy company exploit this vulnerability?

No. The vulnerability requires valid login credentials (the CVSS vector shows PR:L, meaning Low Privilege is needed). External attackers would first need to compromise an employee account through phishing or credential stuffing. That said, do not rely on this as your only control—assume credential compromise is possible.

If we upgrade to a newer version of SourceCodester, are we guaranteed to avoid this flaw?

Not necessarily. Verify the specific patch version or release notes from SourceCodester's advisory to confirm that XSS input validation in the create_supplier function was addressed. 'Newer version' is not a guarantee without explicit confirmation from the vendor.

What should we do if we discover a supplier record with an XSS payload already stored in it?

Delete the malicious record immediately and audit database backups to determine when it was introduced. Review access logs for the time period to identify which user created it. If an unauthorized user created it, investigate for credential compromise. Consider performing a forensic analysis if the payload suggests an external attacker had internal access.

This analysis is based on publicly available vulnerability data as of June 2026. Patch versions, vendor statements, and timelines are subject to change; verify all remediation steps against official SourceCodester advisories before implementation. SEC.co does not provide medical, legal, or regulatory compliance advice. Healthcare organizations should consult their legal and compliance teams regarding HIPAA notification requirements if this vulnerability affects systems processing protected health information. This vulnerability is provided for informational purposes and should not be used to develop or test malicious code. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).