Compliance Impact

The CSV Injection vulnerability in the Pharmacy Sales and Inventory System can lead to unauthorized execution of malicious formulas when CSV files are opened in spreadsheet applications. This exploitation can result in data exfiltration and compromise of data confidentiality and system security.

Such breaches of data confidentiality and potential unauthorized access to sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and disclosure.

Therefore, failure to mitigate this vulnerability could lead to non-compliance with these standards due to the risk of data leakage and insufficient protection of sensitive supplier or patient information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-10248 is a CSV Injection vulnerability found in the SourceCodester Pharmacy Sales and Inventory System up to version 1.0. It occurs in the 'create_supplier' function within the '/Export_csv/export' component, where user-supplied data such as supplier name, mobile, address, and previous due are exported to a CSV file without proper sanitization.

This lack of sanitization allows attackers to inject malicious formulas (e.g., starting with =, +, -, @) into the CSV file. When the file is opened in spreadsheet applications like Microsoft Excel or WPS Spreadsheet, these formulas execute, potentially enabling unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to serious security risks including data exfiltration, phishing attacks, and even command execution on the victim's machine.

Since the malicious formulas execute when the CSV file is opened, attackers can leverage this to compromise data confidentiality and system security.

Note that exploitation requires login access to the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves CSV injection through unsanitized user input fields in exported CSV files. Detection can focus on identifying CSV files generated by the '/Export_csv/export' functionality that contain formula characters such as '=', '+', '-', or '@' in supplier-related fields like supplier_name, mobile, address, and previous_due.

To detect potential exploitation, you can inspect exported CSV files for the presence of these characters at the beginning of fields. For example, using command-line tools to search for lines starting with these characters in CSV files can help identify suspicious entries.

• grep -E '^(=|\+|\-|@)' /path/to/exported.csv
• awk -F, '{for(i=1;i<=NF;i++) if ($i ~ /^=|\+|\-|@/) print NR, $i}' /path/to/exported.csv

Additionally, monitoring logs for unusual login activity or export requests to the '/Export_csv/export' endpoint may help detect attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing the CSV output to prevent formula injection. This can be done by prefixing any potentially dangerous characters (=, +, -, @) in user-supplied fields with a single quote (') to neutralize them.

Other recommended actions are to block or filter formula injection characters in input fields, implement secure CSV export headers, and apply output encoding to ensure that exported data cannot be interpreted as executable formulas by spreadsheet applications.

Conducting regular security audits and restricting access to the export functionality to authorized users only can further reduce the risk of exploitation.

Useful 0 Not Useful 0