CVE-2026-7746
SQL Injection in Web-based Pharmacy Product Management System
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | web_based_pharmacy_product_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in the Web-based Pharmacy Product Management System allows an authenticated remote attacker to extract sensitive database information, including multiple databases and hundreds of tables. This unauthorized data disclosure and potential data tampering can lead to violations of data protection regulations such as GDPR and HIPAA, which mandate the confidentiality, integrity, and security of personal and health-related information.
Failure to properly validate and sanitize user input, resulting in this vulnerability, indicates insufficient security controls that are required by these standards. Exploitation of this flaw could result in unauthorized access to protected health information (PHI) or personally identifiable information (PII), thereby compromising compliance with regulatory requirements.
Mitigations such as using prepared statements, strict input validation, least privilege database access, and regular security testing are necessary to maintain compliance and reduce the risk of data breaches.
Can you explain this vulnerability to me?
CVE-2026-7746 is an SQL Injection vulnerability in the SourceCodester Web-based Pharmacy Product Management System version 1.0. It exists in the file edit-admin.php, specifically in the id parameter. The application does not properly validate or sanitize this user input, allowing an authenticated remote attacker to inject malicious SQL statements.
This flaw occurs because user input is directly concatenated into SQL queries without using prepared statements or input validation, making it possible to manipulate the database queries.
How can this vulnerability impact me? :
An attacker with valid authentication can exploit this vulnerability to execute arbitrary SQL commands on the database. This can lead to unauthorized disclosure of sensitive data, data tampering, or disruption of service.
- Extraction of database information, including multiple databases and hundreds of tables.
- Unauthorized data disclosure.
- Data tampering or modification.
- Potential service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by testing the `id` parameter in the `edit-admin.php` file for SQL injection flaws. Tools like sqlmap can be used to automate this detection by targeting the vulnerable parameter and attempting to extract database information.
- Use sqlmap with a valid authenticated session to test the `id` parameter, for example: sqlmap -u "http://target/product_expiry/edit-admin.php?id=1" --cookie="SESSION=your_session_cookie" --dbs
- Manually test the `id` parameter by injecting SQL payloads such as `' OR '1'='1` or `' UNION SELECT NULL--` to observe if the application returns database errors or unexpected data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements to avoid direct concatenation of user input into SQL queries and enforcing strict input validation on the `id` parameter.
- Apply least privilege principles to the database user to limit the impact of a potential SQL injection.
- Conduct regular security testing to identify and fix similar vulnerabilities.
- Ensure that only authenticated users can access the vulnerable functionality, and monitor logs for suspicious activity related to SQL injection attempts.