CVE-2026-10247: XSS in SourceCodester Pharmacy Sales System 1.0
A cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An authenticated attacker can inject malicious scripts through the generic_name parameter in the create_generic_name function, which the application will then execute in users' browsers. This could allow the attacker to steal session cookies, hijack user accounts, or manipulate pharmacy data. The vulnerability requires user interaction to trigger and an authenticated account to exploit, limiting its immediate impact, but public exploit code is now available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This vulnerability affects the function create_generic_name of the file /ShowForm/create_generic_name/main. The manipulation of the argument generic_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10247 is a reflected XSS vulnerability in the /ShowForm/create_generic_name/main endpoint of SourceCodester Pharmacy Sales and Inventory System 1.0. The create_generic_name function fails to properly sanitize or encode the generic_name request parameter before rendering it in the HTTP response. This occurs after authentication (PR:L), meaning an attacker must first obtain valid credentials. The vulnerability maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code). The CVSS v3.1 score of 3.5 (LOW) reflects the authentication requirement and user interaction requirement, despite the network-accessible attack vector.
Business impact
If exploited against pharmacy staff, this vulnerability could enable attackers to modify medication inventory data, tamper with prescription records, or capture sensitive patient information. An attacker with a low-privilege account (e.g., a junior technician) could escalate privileges by stealing session tokens from higher-privileged users, or manipulate critical data to trigger operational disruptions. For healthcare-adjacent systems, even low-severity XSS can create compliance concerns under HIPAA or similar regulations if patient data exposure occurs.
Affected systems
SourceCodester Pharmacy Sales and Inventory System version 1.0 is affected. This is a PHP-based open-source application commonly deployed in small to mid-sized pharmacies. Organizations running this exact version should verify their deployments. The /ShowForm/create_generic_name/main endpoint is specifically vulnerable; other endpoints may have similar issues and should be audited.
Exploitability
Exploitation requires an authenticated account (PR:L), which limits the attack surface but does not eliminate it—staff credentials are often easier to obtain or compromise than administrative ones. A user interaction requirement (UI:R) means the victim must follow a malicious link or be socially engineered to click it. However, public exploit code is available, lowering the technical barrier for attackers without deep expertise. The network-accessible nature (AV:N) means no local access is required. Overall, this is exploitable in realistic scenarios but not trivially weaponized against random users.
Remediation
Apply vendor patches as soon as they are published. If patches are not available, implement input validation on the generic_name parameter to reject or strip HTML/JavaScript characters, and apply output encoding (HTML entity encoding) when rendering the parameter in responses. A Web Application Firewall (WAF) rule to block requests containing common XSS payloads (e.g., <script>, onerror=, javascript:) in the generic_name parameter can mitigate immediate risk. Consider requiring strong password policies and multi-factor authentication to reduce the likelihood of credential compromise.
Patch guidance
Verify the vendor (SourceCodester) website or official update channels for a patched version above 1.0. Patches should be applied immediately upon availability, given public exploit code. In a test environment, validate that the patch resolves the XSS issue by attempting injection of test payloads before deploying to production. Monitor the application for any behavioral changes post-patch. If the vendor ceases support for version 1.0, evaluate migrating to a maintained alternative pharmacy system.
Detection guidance
Monitor web server logs and WAF logs for requests to /ShowForm/create_generic_name/main with suspicious generic_name parameter values (e.g., containing <, >, ", ', javascript:, onerror, or onload). Alert on any logged-in user accounts making requests with XSS-like payloads. Conduct input validation testing on all form fields and URL parameters in the application. Use a SAST tool to scan the source code for instances where user input is rendered without encoding. Review browser console errors and network traffic on staff workstations for signs of injected scripts.
Why prioritize this
Despite the LOW CVSS score, this vulnerability should be prioritized because public exploit code is available and the system handles sensitive healthcare data. Authentication and user interaction requirements prevent mass exploitation, but targeted attacks against pharmacy staff are realistic. The healthcare context elevates business and regulatory risk beyond what the technical score alone suggests. Prioritize patching before wider distribution of full exploit chains occurs.
Risk score, explained
The CVSS v3.1 score of 3.5 reflects a LOW severity rating due to three limiting factors: (1) authentication is required (PR:L), (2) user interaction is necessary (UI:R), and (3) impact is limited to integrity (I:L) with no confidentiality or availability impact. However, this score does not capture the healthcare compliance implications or the fact that exploit code is public. Security teams should interpret 3.5 as a baseline; business context and threat intelligence (public exploits) justify elevated remediation urgency.
Frequently asked questions
Do we need an account to exploit this vulnerability?
Yes. An attacker must first authenticate to the application using a valid user credential, such as a pharmacy technician login. This significantly limits who can exploit it compared to unauthenticated vulnerabilities, but staff credentials are often easier to compromise than admin accounts.
What happens if someone exploits this XSS vulnerability?
An attacker can inject JavaScript into the application, which will execute in the browser of any pharmacy staff member who visits a crafted link. This could allow theft of session cookies to hijack their account, manipulation of inventory or prescription data, or harvesting of sensitive information. In a healthcare setting, patient data exposure could trigger regulatory violations.
Is there a patch available yet?
As of the vulnerability publication date, verify the SourceCodester vendor website or official channels for available updates to version 1.0. Public exploit code is already circulating, so patching should be urgent once a fix is released. If no patch is forthcoming, use input validation and WAF rules as interim mitigations.
Why is this marked LOW severity if exploit code is public?
CVSS severity is determined by technical attack characteristics (network access, authentication, user interaction, impact scope). The authentication requirement and user interaction requirement lower the technical score to 3.5 (LOW). However, public availability of exploits raises real-world risk and should influence your remediation timeline independent of the CVSS score.
This analysis is provided for informational purposes to support security decision-making. It does not constitute legal or medical advice. Organizations subject to healthcare regulations (HIPAA, GDPR, etc.) should consult their compliance team regarding breach notification and remediation timelines. Verify all patch versions and vendor guidance directly with SourceCodester before deploying updates. SEC.co does not endorse or provide exploit code; this summary is based on published CVE data and public threat intelligence only. Always test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0
- CVE-2026-10529LOWwestboy CicadasCMS XSS in Task Scheduling Module