{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26887", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-03T20:36:18.642Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-03T18:11:24.827Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/shininadd/bug_report/blob/main/Sourcecodester/pharmacy-point-sale-system/SQL-3.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26887", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:28:40.973363Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:36:18.642Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26887", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:28:40.973363Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:28:49.572Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/shininadd/bug_report/blob/main/Sourcecodester/pharmacy-point-sale-system/SQL-3.md"}], "descriptions": [{"lang": "en", "value": "Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-03T18:11:24.827Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26887", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:36:18.642Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oretnom23:pharmacy_point_of_sale_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA845844-0125-4351-BB2C-72589B773463", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php."}], "id": "CVE-2026-26887", "lastModified": "2026-03-04T04:00:11.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-03T20:16:48.770", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/shininadd/bug_report/blob/main/Sourcecodester/pharmacy-point-sale-system/SQL-3.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pharmacy_point_of_sale_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-17T13:27:05.500689+00:00", "value": {"mitigation_remediation": ["Update to a patched version of the Pharmacy Point of Sale System if the vendor releases an official fix.", "Modify the /pharmacy/manage_supplier.php script to use parameterized queries or prepared statements, ensuring that user-supplied data cannot alter SQL command structure.", "Sanitize and validate all input fields according to the principle of least privilege, allowing only expected data types and lengths, and rejecting or escaping special characters.", "Enforce least privilege on the database user by restricting its rights to only necessary operations."], "summary": {"action": "Apply patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Sourcecodester Pharmacy Point of Sale System, version 1.0. No additional vendor or product variants are listed.", "description_and_impact": "The Sourcecodester Pharmacy Point of Sale System version 1.0 contains an SQL Injection vulnerability in the manage_supplier.php handler. An attacker can supply specially crafted input that is interpolated directly into database queries, allowing unauthorized read or modification of supplier records. This flaw may enable data disclosure, tampering, or the execution of arbitrary SQL commands, potentially compromising the integrity of the transaction database.", "risk_and_exploitability": "The CVSS score is 2.7, indicating low severity, and the EPSS score is below 1%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is externally accessible, since the flaw exists in a publicly reachable web endpoint. An attacker would need to craft an HTTP request containing malicious input to the /pharmacy/manage_supplier.php script. Because the database credentials used by the application likely have standard privileges, the impact might be limited to data read/write, but unpatched systems remain at risk."}}}}, "created": "2026-03-04T21:04:21.557239+00:00", "title": "SQL Injection in Sourcecodester Pharmacy Point of Sale System", "updated": "2026-04-17T13:30:19.605588+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$pharmacy_point_of_sale_system"]}