{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4013", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-11T19:07:39.747Z", "datePublished": "2026-03-12T08:02:07.851Z", "dateUpdated": "2026-03-12T13:36:20.462Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-12T08:02:07.851Z"}, "title": "SourceCodester Web-based Pharmacy Product Management System add_admin.php improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "SourceCodester", "product": "Web-based Pharmacy Product Management System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown function of the file add_admin.php. Such manipulation leads to improper authorization. The attack may be launched remotely."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:ND"}}], "timeline": [{"time": "2026-03-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-11T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-11T20:12:45.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "MuhdFarhan (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.350535", "name": "VDB-350535 | SourceCodester Web-based Pharmacy Product Management System add_admin.php improper authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.350535", "name": "VDB-350535 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769781", "name": "Submit #769781 | SourceCodester Web-based Pharmacy Product Management System 1.0 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:36:07.248823Z", "id": "CVE-2026-4013", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:36:20.462Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4013", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:36:07.248823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:36:12.917Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Web-based Pharmacy Product Management System add_admin.php improper authorization", "credits": [{"lang": "en", "type": "reporter", "value": "MuhdFarhan (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:ND"}}], "affected": [{"vendor": "SourceCodester", "product": "Web-based Pharmacy Product Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-11T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-11T20:12:45.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.350535", "name": "VDB-350535 | SourceCodester Web-based Pharmacy Product Management System add_admin.php improper authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.350535", "name": "VDB-350535 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769781", "name": "Submit #769781 | SourceCodester Web-based Pharmacy Product Management System 1.0 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown function of the file add_admin.php. Such manipulation leads to improper authorization. The attack may be launched remotely."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-12T08:02:07.851Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4013", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:36:20.462Z", "dateReserved": "2026-03-11T19:07:39.747Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-12T08:02:07.851Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown function of the file add_admin.php. Such manipulation leads to improper authorization. The attack may be launched remotely."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en SourceCodester Web-based Pharmacy Product Management System 1.0. Esto afecta una funci\u00f3n desconocida del archivo add_admin.php. Dicha manipulaci\u00f3n conduce a una autorizaci\u00f3n indebida. El ataque puede ser lanzado de forma remota."}], "id": "CVE-2026-4013", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-12T08:16:11.810", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.350535"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.350535"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.769781"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Web-based Pharmacy Product Management System", "source": "cna", "vendor": "SourceCodester"}, "product": "web-based_pharmacy_product_management_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-18T15:16:21.429465+00:00", "value": {"mitigation_remediation": ["Check the SourceCodester website for an official patch or update for Web-based Pharmacy Product Management System 1.0.", "If an update is available, immediately download and apply the patch.", "If no patch exists, restrict remote access to add_admin.php or disable the function until a fix is released.", "Enforce strict role-based access control so that only authorized users can invoke admin functions.", "Monitor system logs for any unauthorized attempts to use administrative features."], "summary": {"action": "Assess Impact", "impact": "Improper Authorization"}, "threat_synthesis": {"affected_systems": "SourceCodester Web-based Pharmacy Product Management System version 1.0. No additional affected versions are enumerated in the CVE data.", "description_and_impact": "A vulnerability in the Web-based Pharmacy Product Management System 1.0, located in the add_admin.php file, allows improper authorization of administrative actions. The flaw resides in an unknown function of the file and enables attackers to bypass authentication controls to gain unauthorized admin capabilities. This constitutes a privilege escalation-type weakness, identified as CWE-266 and CWE-285.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. The EPSS score is reported as less than 1%, implying a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack may be launched remotely, though the exact remote vectors are not detailed in the vendor description. No public exploit or specific attack paths are documented in the provided references."}}}}, "created": "2026-03-13T09:53:22.773136+00:00", "updated": "2026-03-20T15:49:59.612635+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$web-based_pharmacy_product_management_system"]}