{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7269", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-28T05:25:36.785Z", "datePublished": "2026-04-28T12:00:16.352Z", "dateUpdated": "2026-04-29T14:22:40.994Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T12:00:16.352Z"}, "title": "SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Pharmacy Sales and Inventory System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /index.php?page=product. Performing a manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-28T07:32:48.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "zulu (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359920", "name": "VDB-359920 | SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359920/cti", "name": "VDB-359920 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802757", "name": "Submit #802757 | sourcecodester Pharmacy Sales and Inventory System V1.0 cross site scripting", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/802758", "name": "Submit #802758 | sourcecodester Pharmacy Sales and Inventory System V1.0 cross site scripting (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zulu225588/zulu-loudong/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T14:22:33.072140Z", "id": "CVE-2026-7269", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T14:22:40.994Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"tags": ["x_freeware"], "title": "SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "zulu (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "product": "Pharmacy Sales and Inventory System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-28T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-28T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-28T07:32:48.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359920", "name": "VDB-359920 | SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359920/cti", "name": "VDB-359920 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/802757", "name": "Submit #802757 | sourcecodester Pharmacy Sales and Inventory System V1.0 cross site scripting", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/802758", "name": "Submit #802758 | sourcecodester Pharmacy Sales and Inventory System V1.0 cross site scripting (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zulu225588/zulu-loudong/issues/3", "tags": ["exploit", "issue-tracking"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /index.php?page=product. Performing a manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T12:00:16.352Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7269", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-29T14:22:33.072140Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-29T14:22:37.862Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-7269", "state": "PUBLISHED", "dateUpdated": "2026-04-28T12:00:16.352Z", "dateReserved": "2026-04-28T05:25:36.785Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-28T12:00:16.352Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /index.php?page=product. Performing a manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "id": "CVE-2026-7269", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-28T13:19:24.373", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/zulu225588/zulu-loudong/issues/3"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/802757"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/802758"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359920"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359920/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pharmacy Sales and Inventory System", "source": "cna", "vendor": "SourceCodester"}, "product": "pharmacy_sales_and_inventory_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-28T19:20:23.828998+00:00", "value": {"mitigation_remediation": ["Deploy any vendor\u2011issued patch for Pharmacy Sales and Inventory System as soon as it becomes available", "Sanitize and validate the ID query parameter before echoing it in the page, ensuring all output is properly encoded for HTML context", "Implement a Content Security Policy that disallows inline scripts or restricts script sources to trusted domains to mitigate the impact of any residual XSS"], "summary": {"action": "Apply Patch or Mitigate", "impact": "Cross\u2011Site Scripting (XSS) allowing execution of arbitrary script code in affected user browsers"}, "threat_synthesis": {"affected_systems": "The affected product is SourceCodester Pharmacy Sales and Inventory System, version 1.0. Only the index.php file handling the page=product controller is vulnerable; no other products or versions are identified as affected.", "description_and_impact": "A content\u2011injection flaw exists in the Pharmacy Sales and Inventory System when the identifier parameter in the product page is manipulated. The vulnerability permits unencoded user input to be reflected in the page, enabling an attacker to inject arbitrary script that runs in the context of the victim\u2019s browser. This can lead to credential theft, defacement, or session hijacking for the affected user. The weakness corresponds to CWE\u201179 and CWE\u201194, indicating improper input handling and potential code execution.", "risk_and_exploitability": "The CVSS score of 4.8 reflects a moderate severity for an XSS vulnerability that requires only remote access to the vulnerable page. The EPSS score is not available, so the likelihood of exploitation is unclear, but public exploit code has been released, indicating the vulnerability is active. It is not listed in the CISA KEV catalog. Attackers can exploit this remotely by crafting a crafted request to /index.php?page=product with a specially\u2011encoded ID parameter, injecting script that retrieves user credentials or accesses other resources within the same domain."}}}}, "created": "2026-04-28T15:00:13.531785+00:00", "updated": "2026-04-28T19:30:27.375925+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$pharmacy_sales_and_inventory_system"]}