CVE-2026-7127
SQL Injection in SourceCodester Pharmacy System Enables Remote Attack
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7127 is a critical SQL injection vulnerability found in version 1.0 of the Pharmacy Sales and Inventory System. It exists in the file /ajax.php when accessed with the parameter action=delete_receiving. The vulnerability arises because the id parameter in a POST request is not properly sanitized or validated before being used in SQL queries.
This lack of input validation allows attackers to inject malicious SQL code remotely without needing any authentication or authorization.
Exploitation can lead to unauthorized database operations such as accessing sensitive data, modifying or deleting records, and potentially gaining full control over the system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, data leakage, and data tampering.
Attackers can modify or delete records, disrupt services, and potentially compromise the entire system.
Such impacts threaten system security and business continuity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /ajax.php endpoint with the parameter action=delete_receiving and manipulating the id parameter to check for SQL injection flaws.
A proof of concept test using tools like sqlmap can confirm the presence of a boolean-based blind SQL injection via the id parameter.
An example payload to test the vulnerability is: id=(SELECT (CASE WHEN (4784=4784) THEN 5 ELSE (SELECT 7976 UNION SELECT 3350) END))
Using sqlmap, a command to test this could be structured as follows: sqlmap -u "http://target/ajax.php?action=delete_receiving" --data="id=1" --method=POST --dbms=mysql --technique=B --batch
What immediate steps should I take to mitigate this vulnerability?
- Use prepared statements with parameter binding to separate SQL code from user input, preventing SQL injection.
- Implement strict input validation and filtering to ensure inputs conform to expected formats.
- Minimize database user permissions by avoiding the use of high-privilege accounts (e.g., root or admin) for routine operations.
- Conduct regular security audits of code and systems to detect and fix vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Pharmacy Sales and Inventory System allows unauthorized access, modification, and deletion of sensitive data. Such unauthorized data access and tampering can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and health-related information.
Failure to secure the system against this vulnerability could result in data breaches, compromising confidentiality, integrity, and availability of sensitive data, thereby impacting compliance with these common standards and regulations.