CVE-2026-30575
Received Received - Intake
Business Logic Flaw in SourceCodester Pharmacy Causes Inventory Corruption

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: MITRE

Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30575
EUVD
EUVD-2026-16707
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
senior-walter web-based_pharmacy_product_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30575 is a Business Logic vulnerability in the Pharmacy Product Management System version 1.0, specifically in the add-stock.php file responsible for stock entry.

The vulnerability occurs because the system fails to properly validate the input parameter 'txtqty', which is supposed to accept only positive integers to increase inventory stock.

An attacker can submit negative values for 'txtqty', causing the system to subtract from the current stock instead of adding to it. This allows unauthorized reduction or destruction of inventory records without needing delete permissions.

This can lead to inventory corruption and potentially cause a Denial of Service by depleting stock records, which may block legitimate sales if stock availability checks are enforced.

Impact Analysis

This vulnerability can have several impacts on your system:

  • Malicious reduction or destruction of inventory stock by submitting negative quantities.
  • Corruption of stock-in data integrity, leading to inaccurate inventory records.
  • Potential Denial of Service (DoS) by depleting stock levels to zero, which can block legitimate sales if the system checks stock availability before processing orders.
Detection Guidance

This vulnerability can be detected by monitoring and inspecting POST requests to the add-stock.php endpoint, specifically looking for the parameter `txtqty` containing negative values.

An example approach is to capture HTTP traffic to the Add Stock page and check if any requests submit negative numbers in the `txtqty` parameter, which should normally only accept positive integers.

A proof-of-concept involves intercepting the 'Save' request and modifying the `txtqty` parameter to a negative value, such as -100.

  • Use a network traffic capture tool like Wireshark or a proxy tool like Burp Suite to intercept POST requests to add-stock.php.
  • Look for POST data containing `txtqty` with negative values.
  • Example curl command to test the vulnerability by sending a negative quantity: curl -X POST -d "txtqty=-100" http://target/add-stock.php
Mitigation Strategies

Immediate mitigation steps include implementing proper input validation on the `txtqty` parameter to ensure only positive integers are accepted.

Restrict or sanitize user input on the server side to reject negative values before processing stock updates.

Additionally, monitor inventory levels for unexpected decreases that could indicate exploitation.

If possible, temporarily disable the add-stock functionality or restrict access to trusted users until a patch or fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30575. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart