PatchSiren cyber security CVE debrief
CVE-2026-10244 SourceCodester CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the SourceCodester Pharmacy Sales and Inventory System 1.0, specifically within the create_medicine_name function accessible via the /ShowForm/create_medicine_name/main file path. The vulnerability allows remote attackers to inject malicious scripts through the medicine_name parameter. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack requirements, low privileges required, and user interaction present, with partial integrity impact to the victim. The exploit has been publicly disclosed. The weakness enumerations include CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code). Vendor attribution is uncertain, with the vendor field marked as 'Unknown Vendor' and confidence rated as low based on reference domain candidate analysis from Vuldb.
- Vendor
- SourceCodester
- Product
- Pharmacy Sales and Inventory System
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running SourceCodester Pharmacy Sales and Inventory System 1.0 in production environments, particularly those with untrusted or low-privilege users who can access medicine creation functions. Security teams monitoring for public XSS exploits in healthcare or pharmacy management software.
Technical summary
The create_medicine_name function in /ShowForm/create_medicine_name/main fails to properly sanitize the medicine_name parameter, allowing injection of executable scripts. Attack vector is network-based with low complexity and requires low privileges with user interaction. Integrity impact to victim is low per CVSS 4.0 scoring. Public exploit availability increases risk despite LOW severity classification.
Defensive priority
low
Recommended defensive actions
- Apply input validation and output encoding for the medicine_name parameter in the create_medicine_name function, following OWASP XSS prevention guidelines
- Implement Content Security Policy (CSP) headers to mitigate impact of any successful XSS injection
- Review and sanitize all user-controllable input fields within the /ShowForm/create_medicine_name/main file path
- Consider upgrading or replacing the affected SourceCodester Pharmacy Sales and Inventory System 1.0 with a maintained alternative if patches are unavailable
- Monitor for unauthorized access or anomalous script execution in environments running this application
Evidence notes
Vulnerability disclosed via Vuldb with public exploit availability confirmed. CVE published and modified 2026-06-01. Source references include GitHub issue tracker and Vuldb entries. No KEV listing present. Vendor attribution confidence is low and requires review.
Official resources
public