CVE-2026-10245
Cross-Site Scripting in Pharmacy Sales and Inventory System
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross site scripting (XSS) flaw found in the SourceCodester Pharmacy Sales and Inventory System version 1.0. It exists in the create_supplier function located in the /ShowForm/create_supplier/main file. An attacker can manipulate the company_name argument to inject malicious scripts.
The attack can be launched remotely, meaning an attacker does not need local access to exploit this vulnerability. The exploit has already been published and may be used by attackers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this cross site scripting vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This cross site scripting vulnerability can allow attackers to execute malicious scripts in the context of the affected web application. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, or redirecting users to malicious sites.
Since the attack can be performed remotely, it increases the risk of exploitation without requiring physical or internal network access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a cross site scripting (XSS) flaw in the create_supplier function of the file /ShowForm/create_supplier/main in SourceCodester Pharmacy Sales and Inventory System 1.0. Detection involves identifying if the company_name parameter is vulnerable to script injection.
To detect this vulnerability, you can attempt to inject typical XSS payloads into the company_name parameter and observe if the input is reflected unsanitized in the response.
- Use curl or similar tools to send a request with a script payload, for example: curl -G --data-urlencode "company_name=<script>alert(1)</script>" http://target/ShowForm/create_supplier/main
- Use a web proxy or browser developer tools to inspect the response for unescaped script tags or JavaScript execution.
- Automated scanners or tools like OWASP ZAP or Burp Suite can be used to test for reflected XSS on the affected endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the input received in the company_name parameter to prevent injection of malicious scripts.
Implement proper output encoding on the server side to ensure that any user-supplied data is safely rendered in the HTML context.
If possible, apply patches or updates provided by the vendor or community addressing this vulnerability.
As a temporary measure, consider blocking or filtering suspicious input patterns at the web application firewall or network level.