CVE-2026-10246
Deferred Deferred - Pending Action
Cross-Site Scripting in Pharmacy Sales and Inventory System

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function create_medicine_presentation of the file /ShowForm/create_medicine_presentation/main. The manipulation of the argument medicine_presentation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10246
EUVD
EUVD-2026-33620
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester pharmacy_sales_and_inventory_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-10246 vulnerability is a Cross-Site Scripting (XSS) issue that allows attackers to execute arbitrary scripts in a victim's browser, potentially stealing sensitive data such as cookies or session tokens.

Such unauthorized access and data theft can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access and breaches.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing sensitive user data and failing to maintain adequate security controls.

Executive Summary

CVE-2026-10246 is a Cross-Site Scripting (XSS) vulnerability found in the Pharmacy Sales and Inventory System 1.0, specifically in the create_medicine_presentation function of the file /ShowForm/create_medicine_presentation/main.

The vulnerability arises because the 'medicine_presentation' parameter is not properly validated or encoded before being output to the web page. This allows attackers to inject malicious scripts that execute in the browsers of users who visit the affected page.

Exploitation can be done remotely without requiring login or authorization, enabling attackers to perform actions such as stealing cookies or session tokens, unauthorized actions, defacing pages, or redirecting users to malicious sites.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary scripts in your users' browsers.

  • Stealing sensitive information such as cookies or session tokens.
  • Performing unauthorized actions on behalf of users.
  • Defacing web pages or altering content.
  • Redirecting users to malicious websites.

Since exploitation does not require authentication, any user visiting the vulnerable page could be affected.

Detection Guidance

This vulnerability can be detected by testing the 'medicine_presentation' parameter in the '/ShowForm/create_medicine_presentation/main' endpoint for Cross-Site Scripting (XSS) issues. You can attempt to inject typical XSS payloads into this parameter and observe if the input is reflected unsanitized in the web page output.

For example, you can use curl or similar tools to send HTTP requests with XSS payloads and check the response for script execution or reflected payloads.

  • curl -X POST 'http://target-site/ShowForm/create_medicine_presentation/main' -d 'medicine_presentation=<script>alert(1)</script>' -v
  • Use a web proxy or browser developer tools to inspect if the injected script appears in the response without proper encoding.

Additionally, automated web vulnerability scanners that test for reflected XSS vulnerabilities can be used against this endpoint.

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and output encoding on the 'medicine_presentation' parameter to prevent malicious script injection.

Additional recommended actions are:

  • Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts.
  • Set secure and HttpOnly flags on cookies to protect session data from being accessed by injected scripts.
  • Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart