CVE-2026-7129
Cross-Site Scripting in SourceCodester Pharmacy Inventory System
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-7129 vulnerability is a Cross-Site Scripting (XSS) flaw found in version 1.0 of the Pharmacy Sales and Inventory System. It exists in the /index.php?page=categories file, specifically in the handling of the id parameter.
The system fails to properly validate or encode user input from this parameter, directly outputting it to the web page without filtering. This allows attackers to inject and execute arbitrary JavaScript code in the victim's browser.
Exploitation does not require any user authentication or login, making it possible for attackers to remotely carry out the attack.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including:
- Attackers can steal cookies, session tokens, or other sensitive information.
- Attackers can perform unauthorized actions on behalf of the victim.
- Web pages can be defaced or users redirected to malicious sites.
- Attackers may potentially gain control over the victim's browser.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /index.php?page=categories endpoint with manipulated id parameters to check for reflected cross-site scripting (XSS). A common method is to inject a proof-of-concept payload such as <script>prompt(/xss/);</script> into the id parameter and observe if the script executes in the browser.
For example, you can use curl or a web browser to send a request like:
- curl "http://target-site/index.php?page=categories&id=<script>prompt(/xss/);</script>"
If the payload executes (e.g., a prompt box appears), the system is vulnerable. Additionally, automated web vulnerability scanners that test for reflected XSS can be used to detect this issue.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement proper output encoding for all user inputs before rendering them on the page, using context-appropriate encoding methods.
- Enforce strict input validation and filtering on the id parameter to allow only expected formats and reject or escape potentially malicious content such as script tags.
- Deploy a strict Content Security Policy (CSP) to restrict script sources and prevent execution of unauthorized inline or external scripts.
- Set HttpOnly and Secure flags on sensitive cookies to prevent JavaScript access and ensure cookies are transmitted only over HTTPS.
- Conduct regular security audits and code reviews to detect and fix XSS and other vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Cross-Site Scripting (XSS) vulnerability in the Pharmacy Sales and Inventory System allows attackers to execute arbitrary JavaScript code, potentially stealing cookies, session tokens, or other sensitive information. This unauthorized access and data exposure can lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Failure to remediate this vulnerability promptly may result in non-compliance with these standards, as they mandate appropriate security controls to protect user data and prevent exploitation of web application vulnerabilities.