CVE-2026-10248
CSV Injection in Pharmacy Sales and Inventory System
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10248 is a CSV Injection vulnerability found in the SourceCodester Pharmacy Sales and Inventory System up to version 1.0. It occurs in the 'create_supplier' function within the '/Export_csv/export' component, where user-supplied data such as supplier name, mobile, address, and previous due are exported to a CSV file without proper sanitization.
This lack of sanitization allows attackers to inject malicious formulas (e.g., starting with =, +, -, @) into the CSV file. When the file is opened in spreadsheet applications like Microsoft Excel or WPS Spreadsheet, these formulas execute, potentially enabling unauthorized actions.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious security risks including data exfiltration, phishing attacks, and even command execution on the victim's machine.
Since the malicious formulas execute when the CSV file is opened, attackers can leverage this to compromise data confidentiality and system security.
Note that exploitation requires login access to the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves CSV injection through unsanitized user input fields in exported CSV files. Detection can focus on identifying CSV files generated by the '/Export_csv/export' functionality that contain formula characters such as '=', '+', '-', or '@' in supplier-related fields like supplier_name, mobile, address, and previous_due.
To detect potential exploitation, you can inspect exported CSV files for the presence of these characters at the beginning of fields. For example, using command-line tools to search for lines starting with these characters in CSV files can help identify suspicious entries.
- grep -E '^(=|\+|\-|@)' /path/to/exported.csv
- awk -F, '{for(i=1;i<=NF;i++) if ($i ~ /^=|\+|\-|@/) print NR, $i}' /path/to/exported.csv
Additionally, monitoring logs for unusual login activity or export requests to the '/Export_csv/export' endpoint may help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing the CSV output to prevent formula injection. This can be done by prefixing any potentially dangerous characters (=, +, -, @) in user-supplied fields with a single quote (') to neutralize them.
Other recommended actions are to block or filter formula injection characters in input fields, implement secure CSV export headers, and apply output encoding to ensure that exported data cannot be interpreted as executable formulas by spreadsheet applications.
Conducting regular security audits and restricting access to the export functionality to authorized users only can further reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CSV Injection vulnerability in the Pharmacy Sales and Inventory System can lead to unauthorized execution of malicious formulas when CSV files are opened in spreadsheet applications. This exploitation can result in data exfiltration and compromise of data confidentiality and system security.
Such breaches of data confidentiality and potential unauthorized access to sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and disclosure.
Therefore, failure to mitigate this vulnerability could lead to non-compliance with these standards due to the risk of data leakage and insufficient protection of sensitive supplier or patient information.