PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10246 SourceCodester CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0, specifically within the create_medicine_presentation function accessible via the /ShowForm/create_medicine_presentation/main endpoint. The medicine_presentation parameter accepts unsanitized input, allowing remote attackers to inject malicious scripts. The vulnerability has been publicly disclosed with proof-of-concept availability, increasing exploitation risk despite the LOW severity CVSS score. The vendor attribution remains unconfirmed with low confidence, derived solely from reference domain analysis pointing to Vuldb as the information source.

Vendor
SourceCodester
Product
Pharmacy Sales and Inventory System
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running SourceCodester Pharmacy Sales and Inventory System 1.0; security teams monitoring publicly disclosed PHP/web application vulnerabilities; developers maintaining inventory management systems with similar input handling patterns

Technical summary

The create_medicine_presentation function in /ShowForm/create_medicine_presentation/main fails to properly sanitize the medicine_presentation parameter, enabling injection of executable scripts. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N) reflects network accessibility, low complexity, low privilege requirements, and necessary user interaction, with limited integrity impact. The vulnerability is classified under both CWE-79 and CWE-94, indicating insufficient input neutralization and code generation control. Public exploit disclosure elevates practical risk beyond the nominal LOW severity.

Defensive priority

low

Recommended defensive actions

  • Apply input validation and output encoding for the medicine_presentation parameter in the create_medicine_presentation function
  • Implement Content Security Policy (CSP) headers to mitigate impact of potential XSS payloads
  • Review and sanitize all user-controllable inputs within the /ShowForm/create_medicine_presentation/main endpoint
  • Monitor for unauthorized access attempts or anomalous requests to the affected endpoint
  • Contact SourceCodester or the original application developer to confirm vendor status and request security patch
  • Consider web application firewall (WAF) rules to detect and block common XSS payload patterns targeting this endpoint

Evidence notes

Vulnerability disclosed via GitHub issue and Vuldb submission. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and user interaction. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) are both cited as weakness classifications. The exploit has been publicly disclosed per the CVE description.

Official resources

public