Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /index.php?page=product. Performing a manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
AnalysisAI
Reflected cross-site scripting in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /index.php?page=product, requiring user interaction to trigger payload execution. CVSS 4.8 with public exploit code availability (E:P) indicates low immediate risk despite network accessibility, constrained by high privilege requirement (PR:H) and user interaction dependency (UI:P).
Technical ContextAI
The vulnerability is a Reflected XSS (CWE-79) occurring in a PHP-based inventory management application. The /index.php?page=product endpoint fails to properly sanitize or encode the ID parameter before rendering it in HTTP responses. This allows an attacker to inject arbitrary HTML and JavaScript into the response, which executes in the victim's browser within the security context of the vulnerable application. The affected product is a server-side PHP application managing pharmacy inventory and sales operations, commonly deployed as a web application accessible over HTTP/HTTPS.
RemediationAI
Primary fix: Contact SourceCodester for a patched version or security update, as no specific patch version number is documented in available references. Immediate workaround: implement input validation and output encoding on the ID parameter in /index.php?page=product by applying HTML entity encoding (e.g., htmlspecialchars() or similar PHP sanitization functions) to any user-supplied input before rendering in HTTP responses. Additional controls: restrict access to /index.php?page=product to authorized administrative users via network access controls or web application firewall rules; implement Content Security Policy (CSP) headers to restrict inline script execution, limiting blast radius if encoding is bypassed. Deployment consideration: if patched version is unavailable, apply WAF rules blocking script tags and event handlers in the ID parameter as a temporary measure, accepting that sophisticated encoding bypasses may still succeed.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26041