CVE-2026-10248: CSV Injection in SourceCodester Pharmacy Sales and Inventory System
SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-1236, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10248 is a CSV injection vulnerability (CWE-74, CWE-1236) in the Supplier Creation Interface of SourceCodester Pharmacy Sales and Inventory System up to version 1.0. The vulnerability exists in the create_supplier function within the /Export_csv/export component. The Address and Company Name parameters are not properly sanitized before being written to CSV exports, allowing an authenticated high-privilege user to inject formula sequences (e.g., =, +, -, @) that execute arbitrary operations when the file is parsed by spreadsheet software. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) reflects network accessibility with high privilege requirement and no user interaction beyond the administrator's actions.
Business impact
This vulnerability poses moderate risk to pharmacy operations. A malicious or compromised high-privilege user account can export supplier records containing embedded formulas that execute when staff open reports in Excel or similar tools. This can lead to unauthorized command execution on administrative workstations, exfiltration of sensitive prescription or inventory data, or manipulation of supplier records. The confidentiality, integrity, and availability impacts are limited (L/L/L) but compounded by the healthcare data sensitivity typical in pharmacy systems and the reliance on exported reports for regulatory compliance and financial reconciliation.
Affected systems
SourceCodester Pharmacy Sales and Inventory System versions up to and including 1.0 are vulnerable. No patched version information has been disclosed publicly; verify with SourceCodester for availability of a security update. The vulnerability requires authenticated access with administrative or supplier-management privileges, limiting the attack surface to internal users or accounts that have been compromised.
Exploitability
Exploitation requires valid high-privilege credentials and administrative access to the supplier creation interface. The attack is straightforward—an authenticated admin or high-privilege user simply enters a formula (e.g., =cmd|'/c calc'!A1) in the Address or Company Name field, then exports supplier data. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update; however, proof-of-concept information has been publicly disclosed, increasing the risk of opportunistic attacks by insiders or those with lateral movement access to admin accounts.
Remediation
Update SourceCodester Pharmacy Sales and Inventory System to a patched version when available; contact the vendor directly for security advisories and release timelines. As an interim control, restrict export functionality to a minimal set of trusted administrators, implement monitoring on export activities (particularly high-volume or unusual exports), and educate staff to disable automatic formula evaluation in spreadsheet applications. Apply principle of least privilege to supplier management accounts.
Patch guidance
Monitor SourceCodester's security advisories and release notes for a patch addressing CSV injection in the export functionality. Verify the fix against the vendor's official advisory to confirm it sanitizes the Address and Company Name fields before CSV output. Test patches in a non-production environment before deployment to ensure compatibility with your pharmacy workflows and any downstream report integrations. Once a patch is available, prioritize deployment to systems handling sensitive supplier or inventory data.
Detection guidance
Monitor access logs for unusual patterns in supplier creation or export activities, particularly late-night or off-hours exports by administrative accounts. Search application logs and CSV export files for indicators of formula injection: entries beginning with =, +, -, @, or tab characters in Address or Company Name fields. Implement file integrity monitoring on exported CSV reports to detect unexpected changes. Log all export operations with user, timestamp, and record count to establish a baseline for anomalous activity. Network-level monitoring is less effective here since the vulnerability is triggered by authenticated actions; focus on access control and logging within the application.
Why prioritize this
Although this vulnerability has a CVSS score of 4.7 (MEDIUM), it warrants prompt attention in healthcare environments due to the sensitivity of pharmacy data, the established proof-of-concept disclosure, and the potential for insider threats or compromised admin accounts to cause significant operational disruption or compliance violations (HIPAA, state pharmacy regulations). The high privilege requirement reduces immediate external threat but increases insider risk—a priority for most pharmacy operations.
Risk score, explained
The CVSS 3.1 score of 4.7 reflects: (1) Network Attack Vector—vulnerable via the web interface; (2) Low Attack Complexity—no special conditions needed to trigger the injection; (3) High Privilege Requirement—only admin/high-privilege accounts can exploit; (4) No User Interaction—the admin performing the export is the attacker; (5) Low impact on Confidentiality, Integrity, and Availability—formula execution can leak data or corrupt processes, but not wholesale system compromise. In pharmacy contexts, the contextual risk is elevated due to regulated data and operational criticality, even though the numeric score remains MEDIUM.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires valid high-privilege (administrative) credentials to access the Supplier Creation Interface and export functionality. Unauthenticated users cannot reach the vulnerable component.
What happens if an exported CSV file with an injected formula is opened?
When the file is opened in Excel, Google Sheets, or similar spreadsheet software, the formula executes if macro warnings are disabled or the user confirms formula evaluation. This can result in command execution on the user's workstation, information disclosure, or data manipulation depending on the formula's design and the application's security settings.
Is there a patch available yet?
As of the vulnerability's publication on 2026-06-01 and modification on 2026-06-17, no official patch version has been confirmed in public advisories. Contact SourceCodester directly for patch availability and timelines. Do not assume vendor silence means no fix is in development.
Can I mitigate this without a patch?
Yes. Restrict export access to only essential administrators, implement strict audit logging for all export activities, educate users to disable automatic formula evaluation in spreadsheet applications, and monitor for suspicious Address or Company Name entries containing formula characters (=, +, -, @, tab).
This analysis is provided for informational purposes and reflects the vulnerability state as of the published CVE data. No patch version numbers or timelines are guaranteed; verify all remediation steps against the official SourceCodester security advisory. This vulnerability requires high-privilege access; review your access control policies to identify and monitor at-risk accounts. In regulated healthcare environments, consult your compliance and legal teams regarding notification and reporting obligations related to this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10175MEDIUMCode Injection in Aider-AI Aider 0.86.3 – Exploit Available