CVE-2026-10246: Stored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated user can inject malicious scripts through the medicine presentation creation function, which are then executed in the browsers of other users who view that data. The attack requires user interaction and does not grant elevated privileges, but can be used to steal session tokens, redirect users, or perform actions on their behalf within the application.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function create_medicine_presentation of the file /ShowForm/create_medicine_presentation/main. The manipulation of the argument medicine_presentation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10246 is a reflected/stored cross-site scripting vulnerability in the create_medicine_presentation function of SourceCodester Pharmacy Sales and Inventory System 1.0. The vulnerability stems from insufficient input validation on the medicine_presentation parameter in the /ShowForm/create_medicine_presentation/main endpoint. An authenticated attacker can inject JavaScript payloads that execute in the security context of other users' sessions. The CVSS 3.1 score of 3.5 (LOW) reflects the requirement for prior authentication, user interaction, and the integrity-only impact. The vulnerability maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code).
Business impact
While the CVSS score is low, the business context elevates concern. A pharmacy inventory system handles sensitive patient and medication data. XSS in this context could enable unauthorized modification of drug information, inventory records, or pricing data—potentially affecting medication dispensing accuracy or creating audit trail gaps. An authenticated employee (e.g., a disgruntled staff member or compromised account) could inject malicious scripts to target pharmacy managers or pharmacists, harvesting credentials or triggering unauthorized transactions. The reputational and compliance risk (HIPAA, state pharmacy board regulations) may exceed the technical severity rating.
Affected systems
SourceCodester Pharmacy Sales and Inventory System version 1.0 is confirmed affected. This system is commonly deployed in small to mid-sized independent pharmacies, clinics, and healthcare retail environments. Organizations using this application should verify their deployment version immediately. Patch availability and vendor responsiveness are critical next steps—check the vendor's official advisory for information on version 1.x support and upgrade paths.
Exploitability
The vulnerability has been publicly disclosed. Exploit code or proof-of-concept details may be available in public repositories or security forums, lowering the barrier to weaponization. However, exploitation requires valid application credentials and user interaction (a victim must click a link or view a crafted page), which somewhat constrains the attack surface in practice. The low barrier to exploitation, combined with public disclosure, warrants prompt patching despite the low CVSS score.
Remediation
Organizations should prioritize patching or upgrading SourceCodester Pharmacy Sales and Inventory System to a version that addresses this vulnerability. Until a patch is available, implement input validation and output encoding on the medicine_presentation parameter server-side. Apply a strict Content Security Policy (CSP) header to prevent inline script execution. Consider restricting the application to trusted networks and implementing Web Application Firewall (WAF) rules to block common XSS payloads. Audit pharmacy staff accounts for unauthorized activity.
Patch guidance
Check the SourceCodester vendor advisory or support portal for a patched version of Pharmacy Sales and Inventory System. If version 1.0 is end-of-life, plan an upgrade to a supported version. Apply patches in a test environment first, particularly given the critical nature of pharmacy operations. Coordinate patching with your pharmacy management and IT teams to minimize disruption to dispensing workflows. If patches are unavailable, contact the vendor to confirm support status and request guidance on alternative risk mitigation.
Detection guidance
Monitor application logs for unusual patterns in the create_medicine_presentation endpoint, such as requests containing script tags, event handlers (onclick, onerror), or URL-encoded JavaScript. Set up alerts for repeated failed authentication attempts followed by successful logins from different IP addresses, which may indicate credential compromise. Use web application firewalls or intrusion detection systems to flag requests with XSS payloads. Regularly audit medicine presentation records for unexpected or suspicious content that could indicate injected scripts. Implement user session monitoring to detect anomalous activity post-authentication.
Why prioritize this
Despite a low CVSS score, this vulnerability merits prompt attention due to public disclosure, the critical nature of pharmacy systems, and regulatory compliance implications. The combination of authenticated access plus user interaction creates a moderate real-world risk in environments where employees may fall victim to social engineering or phishing. Prioritize patching based on your organization's pharmacy system centrality and staff awareness levels.
Risk score, explained
The CVSS 3.1 score of 3.5 reflects the requirement for prior authentication (PR:L), user interaction (UI:R), limited attack surface, and integrity-only impact (I:L, no confidentiality or availability loss). However, CVSS does not account for the sensitivity of healthcare data, regulatory penalties, or the availability of public exploit code. Security leaders should treat this as a moderate-to-high priority for remediation in pharmacy environments, even though the base score is low.
Frequently asked questions
Can this vulnerability be exploited without valid credentials?
No. The CVSS vector indicates a Login Required (PR:L) prerequisite, so an attacker must have a valid application account. This typically limits risk to insider threats or compromised employee accounts.
What data can an attacker steal or modify using this XSS vulnerability?
An attacker cannot directly access confidential data outside the user's browser session. However, they can modify displayed medicine information, inject fake dosage or interaction warnings, redirect users to phishing pages, or steal session cookies if the application does not use HttpOnly flags.
Is there a workaround if patches are not immediately available?
Workarounds are limited but include: restricting access to the application via IP whitelisting or VPN, enforcing multi-factor authentication to reduce account compromise risk, and deploying a WAF with XSS signature rules. However, these are temporary measures and should not delay patching.
How does public disclosure affect the risk timeline?
Public disclosure dramatically increases risk because attackers have roadmaps for exploitation. The window between disclosure and patch deployment is critical. Organizations should prioritize testing and deployment within days, not weeks.
This analysis is based on the vulnerability description and CVSS data available as of the publication date. Organizations should verify patch availability and applicability against their specific deployment versions by consulting the vendor's official advisory. Regulatory compliance requirements (HIPAA, state pharmacy board rules) may impose stricter remediation timelines than CVSS severity alone. SEC.co does not provide legal, compliance, or medical advice; consult your compliance and healthcare IT teams for guidance specific to your jurisdiction and operations. Exploit code is not provided; do not attempt to weaponize or test this vulnerability outside controlled lab environments with explicit authorization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0
- CVE-2026-10529LOWwestboy CicadasCMS XSS in Task Scheduling Module