CVE-2026-30574
Business Logic Flaw in SourceCodester Pharmacy Allows Stock Manipulation
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| senior-walter | web-based_pharmacy_product_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-841 | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-30574 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The CVE-2026-30574 vulnerability is a Business Logic Error found in the Pharmacy Product Management System version 1.0, specifically in the add-sales.php file.
The issue arises because the system does not verify if the requested sales quantity (txtqty) exceeds the available stock. An attacker can intercept the sales request and modify the quantity to a number much larger than the actual stock.
Due to the lack of server-side validation, the system processes these manipulated requests successfully, which can lead to negative inventory values or acceptance of orders that cannot be fulfilled physically.
How can this vulnerability impact me? :
This vulnerability can cause inventory corruption by allowing sales of quantities exceeding actual stock, resulting in negative stock values.
It can lead to unfulfillable orders, as the system accepts sales that cannot be physically completed.
Attackers can exploit this to cause a Denial of Service (DoS) for legitimate customers by effectively blocking real sales through overselling.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and intercepting the 'Add Sales' requests sent to the add-sales.php file in the Pharmacy Product Management System. Specifically, you should look for POST requests where the parameter `txtqty` (sales quantity) is set to a value significantly higher than the actual available stock.
A practical approach is to deploy the system locally or in a test environment, identify products with low stock, and then intercept the sales request using tools like Burp Suite or similar HTTP intercepting proxies. Modify the `txtqty` parameter to an excessive number and observe if the system accepts the request without validation.
For network detection, you can use packet capture tools such as tcpdump or Wireshark to filter HTTP POST requests to add-sales.php and analyze the `txtqty` parameter values.
- Example tcpdump command to capture HTTP POST requests to add-sales.php: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /add-sales.php'
- Use an intercepting proxy (e.g., Burp Suite) to capture and modify the POST parameter `txtqty` to test if the system accepts quantities exceeding stock.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves implementing server-side validation in the add-sales.php file to verify that the requested sales quantity (`txtqty`) does not exceed the available stock before processing the transaction.
Until a patch or update is applied, restrict access to the add-sales.php endpoint to trusted users only, and monitor sales transactions for abnormal quantities that exceed stock levels.
Additionally, consider deploying Web Application Firewall (WAF) rules to detect and block requests with suspiciously high `txtqty` values.