{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26707", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-03T20:31:12.429Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T17:30:34.088Z"}, "descriptions": [{"lang": "en", "value": "sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-4.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:30:38.390700Z", "id": "CVE-2026-26707", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:31:12.429Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26707", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T20:30:38.390700Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:31:07.324Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-4.md"}], "descriptions": [{"lang": "en", "value": "sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T17:30:34.088Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26707", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:31:12.429Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA845844-0125-4351-BB2C-72589B773463", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php."}], "id": "CVE-2026-26707", "lastModified": "2026-03-03T21:15:59.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T18:16:26.903", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-4.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pharmacy_point_of_sale_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-16T14:52:43.457232+00:00", "value": {"mitigation_remediation": ["Apply an update or migrate to a newer version of the Pharmacy Point of Sale System that eliminates the SQL injection flaw; if no official patch is available, consider switching to a more secure alternative.", "Restrict access to the /pharmacy/view_supplier.php URL using firewall rules, authentication, or IP whitelisting to limit exposure to trusted users only.", "Implement robust input validation and use prepared statements or parameterized queries in the application to prevent SQL injection.", "Continuously monitor web server and database logs for suspicious activity and anomalous queries."], "summary": {"action": "Assess Impact", "impact": "Unauthorized data access and potential modification"}, "threat_synthesis": {"affected_systems": "Targeted applications are the open\u2011source Pharmacy Point of Sale System released by oretnom23, version 1.0. No other versions are listed. The vulnerable code resides in the web front\u2011end, exposing the flaw to HTTP requests.", "description_and_impact": "An SQL injection flaw exists in the Pharmacy Point of Sale System version 1.0, specifically in the /pharmacy/view_supplier.php module. Attackers able to craft malicious input can inject arbitrary SQL statements, enabling enumeration of database contents, extraction of sensitive records, and modification or deletion of data. The vulnerability permits unauthorized disclosure of customer and supplier information and could lead to integrity violations.", "risk_and_exploitability": "With a CVSS score of 9.8, the flaw is considered critical. The EPSS value is below 1\u202f%, indicating current exploitation likelihood is low but not impossible; however, the absence from KEV suggests no publicly known exploits yet. The attack vector is inferred to be remote, as the vulnerable endpoint is reachable over the network. Successful exploitation would immediately compromise confidentiality and integrity of the underlying database, potentially allowing a remote attacker to read, modify, or delete data."}}}}, "created": "2026-03-03T08:46:13.355461+00:00", "title": "Pharmacy Point of Sale System v1.0 Remote SQL Injection in view_supplier.php", "updated": "2026-04-16T15:00:14.322874+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$pharmacy_point_of_sale_system"]}