CVE-2025-56018
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2026-04-09

Assigner: MITRE

Description
SourceCodester Web-based Pharmacy Product Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in Category Management via the category name field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56018
EUVD
EUVD-2025-31751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
senior-walter web-based_pharmacy_product_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-56018 is a Stored Cross-Site Scripting (XSS) vulnerability in the SourceCodester Web-based Pharmacy Product Management System version 1.0. It occurs in the Category Management module, specifically in the Category Name input field, which does not properly sanitize or encode user input. This allows an attacker to inject malicious JavaScript code that is stored by the application and executed whenever any user views the affected category list page. [1]

Impact Analysis

This vulnerability can have a high impact as it allows arbitrary JavaScript execution in users' browsers. Potential consequences include theft of session cookies, unauthorized actions such as adding or deleting categories and data manipulation, defacement of the application, redirection to malicious websites, and possibly full application takeover if an administrator's session is compromised. [1]

Detection Guidance

This vulnerability can be detected by attempting to inject a test script payload such as `<script>alert('XSS by Security Researcher')</script>` into the Category Name field in the Category Management module of the SourceCodester Web-based Pharmacy Product Management System v1.0. If the script executes when viewing the category list page, the system is vulnerable. There are no specific network commands provided, but manual testing via the web interface or automated web vulnerability scanners targeting stored XSS in input fields can be used. [1]

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and sanitization on both client and server sides, such as restricting category names to alphanumeric characters. Apply proper output encoding techniques like PHP's htmlspecialchars() before rendering user data. Deploy Content Security Policy (CSP) headers to limit script injection risks. Additionally, use frameworks or templating engines that automatically escape output. Applying patches or updates that address this vulnerability is strongly recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart