CVE-2026-10255: Pharmacy Sales System Authentication Bypass – SourceCodester 1.0
A remote access control weakness exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An unauthenticated attacker can exploit the sell_statement function in the application's form controller to bypass authorization checks and gain unauthorized read access to sensitive pharmacy data. The vulnerability requires no special interaction from users and can be triggered over the network. Because exploit code has already been publicly disclosed, active exploitation risk is elevated.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-266, CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10255 affects the sell_statement function within application/controllers/ShowForm.php in SourceCodester Pharmacy Sales and Inventory System 1.0. The vulnerability stems from improper access controls (CWE-284) and insufficient permission verification (CWE-266), allowing an unauthenticated network-based attacker to bypass authorization mechanisms. The attack surface is unrestricted (no authentication prerequisite, no UI interaction required), resulting in confidentiality impact through unauthorized information disclosure. The CVSS 3.1 score of 5.3 (MEDIUM) reflects low-to-moderate risk: network-exploitable with no preconditions, but limited to read-access of data rather than modification or system availability impact.
Business impact
Unauthorized access to pharmacy sales and inventory data creates multiple business risks. Patient medication purchase history, prescription patterns, and potentially personally identifiable information may be exposed to competitors or malicious actors. This exposure can trigger privacy compliance violations (HIPAA, regional data protection laws), reputational harm, and loss of customer trust. Organizations running this system should assume confidentiality has been compromised and assess what customer, patient, and operational data has been accessed or is accessible through this vector.
Affected systems
SourceCodester Pharmacy Sales and Inventory System version 1.0 is confirmed vulnerable. No patched version number is currently available in vendor advisories; organizations using this product should contact SourceCodester for guidance on remediation timelines or workarounds. The vulnerability affects all deployments regardless of configuration, since the flaw is in the application code itself rather than dependent on specific server settings.
Exploitability
Exploitability is high in practical terms. The vulnerability requires no authentication, no user interaction, and no special network access—an attacker needs only network connectivity to the affected application. The CVSS Access Vector (AV:N) and Attack Complexity (AC:L) confirm ease of triggering. Public disclosure of exploit code significantly increases the likelihood of opportunistic scanning and exploitation by attackers with minimal sophistication. This is not a theoretical risk.
Remediation
Immediate action is required. Organizations should prioritize updating to a patched version as soon as SourceCodester releases one; verify the vendor advisory for available releases. Until an update is available, implement network-level access controls to restrict direct connectivity to the affected application—use firewalls, VPNs, or reverse proxies to allow only trusted internal users or IP ranges. Conduct a data access audit to identify what sales and inventory records may have been viewed through this function. Monitor application logs for unusual access patterns to ShowForm.php or the sell_statement endpoint.
Patch guidance
Check SourceCodester's official security advisory and download page for version updates addressing CVE-2026-10255. Verify that the patched version explicitly mentions this CVE in its release notes. Test patches in a non-production environment before deployment to ensure compatibility with your pharmacy workflows and any customizations. If no official patch is available yet, maintain contact with the vendor for status updates and confirm expected remediation timeline.
Detection guidance
Monitor HTTP request logs and application access logs for direct calls to ShowForm.php with focus on the sell_statement function parameter. Look for requests lacking valid authentication tokens or session identifiers, especially repeated or automated attempts. Implement intrusion detection signatures targeting GET/POST requests to the vulnerable endpoint. Log and alert on any access to inventory or sales data retrieval functions by unauthenticated sessions. Review access control lists and verify that ShowForm.php requires authentication before processing any user input.
Why prioritize this
Although the CVSS score is MEDIUM (5.3), several factors elevate practical priority: (1) publicly available exploit code removes the barrier to active exploitation, (2) affected data—pharmacy sales and patient information—carries high regulatory and reputational sensitivity, (3) the attack is trivially easy to execute with no preconditions, and (4) SourceCodester is a small-footprint system often deployed in small-to-medium healthcare operations with limited security infrastructure. Organizations using this product should treat this as a near-term remediation target despite the moderate numeric score.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects a confidentiality-only impact (no integrity or availability compromise) accessible over the network with no authentication or user interaction required. The MEDIUM rating is appropriate from a pure technical perspective. However, the business context—healthcare data, public exploit availability, and typical deployment in resource-constrained settings—warrants treating this with urgency in prioritization decisions. Do not allow the MEDIUM label to create false comfort; escalate to decision-makers responsible for pharmacy system security.
Frequently asked questions
What data can an attacker actually see through this vulnerability?
The vulnerability allows read-only access to data returned by the sell_statement function. In a pharmacy context, this typically includes sales records, inventory levels, and associated transaction metadata. An attacker cannot modify or delete data, but can retrieve and exfiltrate this information. Audit your application logs to determine the full extent of accessible data fields.
Does this vulnerability require the attacker to be on the same network?
No. The CVSS vector AV:N (Attack Vector: Network) confirms this is remotely exploitable from the internet if the application is internet-facing or accessible via VPN. Even applications accessible only internally are at risk from insider threats or compromised internal systems.
Is there a workaround if we cannot patch immediately?
Yes. Implement network-layer access controls: use a firewall to allow only trusted IP addresses to reach the application, deploy a reverse proxy with authentication enforcement, or require VPN access before reaching the system. These controls do not fix the underlying flaw but significantly reduce attack surface while you await a patch.
How do we know if we've been exploited?
Review web server and application logs for access to ShowForm.php with the sell_statement parameter, especially requests without valid authentication sessions. Check for unusual read activity on sales or inventory database tables. Consider engaging incident response support if you detect suspicious patterns, as access logs may have been cleared by an attacker.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations must verify all technical details against official vendor advisories and perform independent risk assessment within their own environment. CVSS scoring reflects standardized technical severity only and may not capture business-specific risk factors in your organization. Patch versions, availability timelines, and vendor statements change; consult SourceCodester directly for the latest guidance. Testing of patches and detection rules should be conducted in isolated environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10217MEDIUMGoClaw Privilege Escalation in RoleAdmin Gateway (CVSS 6.3)