CVE-2026-7392
SQL Injection in Pharmacy Sales and Inventory System
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SourceCodester Pharmacy Sales and Inventory System version 1.0. It affects the delete_supplier function in the file /ajax.php?action=delete_supplier. The issue arises because the argument ID can be manipulated, leading to a SQL injection vulnerability. This means an attacker can remotely execute malicious SQL commands by altering the ID parameter.
How can this vulnerability impact me? :
The vulnerability allows an attacker to perform SQL injection remotely, which can lead to unauthorized access to the database. This can result in data leakage, data modification, or deletion of important information related to suppliers or other sensitive data stored in the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a SQL injection in the delete_supplier function of SourceCodester Pharmacy Sales and Inventory System 1.0, which can be exploited remotely.
Such vulnerabilities can potentially lead to unauthorized access or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA.
However, there is no specific information provided about the impact of this vulnerability on compliance with these standards in the provided context.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /ajax.php?action=delete_supplier endpoint for SQL injection via the id parameter. One common method is to send specially crafted HTTP requests with SQL injection payloads and observe the responses for anomalies or error messages indicating SQL injection.
- Use curl or similar tools to send requests with SQL injection payloads, for example: curl "http://target/ajax.php?action=delete_supplier&id=1' OR '1'='1"
- Monitor for boolean-based blind SQL injection by sending payloads that alter query logic and checking for differences in response behavior.
- Use automated vulnerability scanners that support SQL injection detection targeting the id parameter in the specified endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection.
- Apply strict input validation on the id parameter to ensure only expected values are accepted.
- Minimize database user permissions to limit the impact of any potential exploitation.
- Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.
Can you explain this vulnerability to me?
This vulnerability is a SQL injection found in the Pharmacy Sales and Inventory System 1.0, specifically in the /ajax.php?action=delete_supplier file. It occurs because the id parameter is not properly validated, allowing attackers to inject malicious SQL queries into the database.
The attack can be executed remotely without requiring authentication, enabling unauthorized users to manipulate database queries.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to the database, manipulation of data, leakage of sensitive information, and potentially complete system compromise.
Attackers can perform boolean-based blind SQL injection attacks to manipulate query logic, which poses severe risks to data integrity, system security, and business continuity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the `id` parameter in the `/ajax.php?action=delete_supplier` endpoint for injection flaws. One common method is to send specially crafted payloads that manipulate the SQL query logic and observe the response for anomalies or error messages.
- Use curl or similar tools to send requests with SQL injection payloads, for example: curl "http://target/ajax.php?action=delete_supplier&id=1' OR '1'='1"
- Perform boolean-based blind SQL injection tests by sending payloads that alter query logic and checking for differences in response behavior.
- Monitor network traffic for suspicious requests targeting `/ajax.php?action=delete_supplier` with unusual or malformed `id` parameters.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection.
- Apply strict input validation on the `id` parameter to ensure only expected values are accepted.
- Minimize database user permissions to limit the impact of a potential exploit.
- Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.