CVE-2026-26708

Received Received - Intake

SQL Injection in Pharmacy POS System Manage_User Component

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: MITRE

Description

sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-02

Last Modified

2026-03-03

Generated

2026-06-16

AI Q&A

2026-03-02

EPSS Evaluated

2026-06-15

NVD

CVE-2026-26708

Affected Vendors & Products

Vendor	Product	Version / Range
oretnom23	pharmacy_point_of_sale_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

[{'type': 'paragraph', 'content': "The Pharmacy Point of Sale System v1.0 by sourcecodester has an SQL injection vulnerability in the file /pharmacy/manage_user.php, specifically in the URL parameter 'id'."}, {'type': 'paragraph', 'content': "An attacker can inject malicious SQL code through this 'id' parameter, allowing them to execute unauthorized SQL queries on the backend SQLite database."}, {'type': 'paragraph', 'content': 'For example, a UNION-based SQL injection payload can be used to retrieve database information such as the SQLite version, confirming the vulnerability.'}] [1]

Impact Analysis

This vulnerability can allow an attacker to execute unauthorized SQL queries on the backend database.

As a result, sensitive data stored in the database could be leaked or exposed.

Additionally, the attacker might further compromise the system by manipulating or deleting data, potentially disrupting normal operations.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending specially crafted HTTP requests to the vulnerable endpoint and observing the responses for SQL errors or unexpected data.'}, {'type': 'paragraph', 'content': 'Specifically, you can test the `/pharmacy/manage_user.php` endpoint by injecting SQL code into the `id` GET parameter.'}, {'type': 'paragraph', 'content': 'An example command using curl to test the vulnerability is:'}, {'type': 'list_item', 'content': 'curl "http://<target>/pharmacy/manage_user.php?id=-1\' union select 1, 2, sqlite_version(), 4, 5, 6, 7 -- +" -H "Cookie: PHPSESSID=<session_id>"'}, {'type': 'paragraph', 'content': 'This command attempts a UNION-based SQL injection to retrieve the SQLite version, which confirms the injection point and database type.'}] [1]

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-26708. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-26708

SQL Injection in Pharmacy POS System Manage_User Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart