CVE-2026-10247 SourceCodester CVE debrief

Who should care

Organizations running SourceCodester Pharmacy Sales and Inventory System 1.0; healthcare/pharmacy IT administrators; web application security teams managing PHP-based inventory systems; vulnerability management programs tracking public exploit disclosures

Technical summary

The vulnerability resides in the `create_generic_name` function of `/ShowForm/create_generic_name/main` in SourceCodester Pharmacy Sales and Inventory System 1.0. Insufficient sanitization of the `generic_name` parameter permits injection of executable scripts. Attack vector is network-based with low attack complexity, requiring authenticated low-privilege access and user interaction. CVSS 4.0 score: 2.0 (LOW). Public exploit availability elevates practical concern.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and output encoding for the generic_name parameter in the create_generic_name function, implementing allowlist-based sanitization for expected character sets
• Implement Content Security Policy (CSP) headers to mitigate impact of potential XSS payloads
• Review and sanitize all user-controllable parameters in /ShowForm/create_generic_name/main endpoint
• Monitor for unauthorized access attempts or anomalous requests to the affected endpoint
• Verify vendor attribution and apply official patches from SourceCodester when available; consider temporary access restrictions to the administrative function pending remediation

Evidence notes

Vulnerability identified in SourceCodester Pharmacy Sales and Inventory System 1.0. CNA-assigned weaknesses include CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code). Public exploit disclosure confirmed via GitHub issue reference. Vendor attribution marked as low confidence requiring review; 'Unknown Vendor' designation with Vuldb as reference domain candidate.

Official resources