Skip to main content

Pharmacy Sales Inventory EUVD-2026-33618

| CVE-2026-10245 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 VulDB GHSA-4j5r-6h7v-59cc
XSS Pharmacy Sales And Inventory System
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 01, 2026 - 11:22 vuln.today
CVSS changed
Jun 01, 2026 - 11:22 NVD
3.5 (LOW) 2.0 (LOW)

DescriptionCVE.org

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used.

AnalysisAI

Stored or reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows a remote, low-privileged attacker to inject arbitrary JavaScript via the company_name argument in the create_supplier function at /ShowForm/create_supplier/main. Successful exploitation requires a victim user to interact with the malicious content, limiting blast radius, but the CVSS temporal metric confirms a proof-of-concept exploit is publicly available via GitHub. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Navigate to /ShowForm/create_supplier/main
Exploit
Submit crafted company_name with XSS payload
Execution
Payload persisted in supplier record
Persist
Victim authenticated user views supplier listing
Impact
Malicious script executes in victim's browser session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid low-privilege account on the Pharmacy Sales and Inventory System (CVSS PR:L), meaning unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 3.5 (Low) is grounded in a vector of AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N - network-accessible but requiring authenticated low-privileged access and victim interaction, with impact confined to integrity only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege account on the Pharmacy Sales and Inventory System navigates to the supplier creation form and submits a crafted company_name value containing a malicious JavaScript payload (e.g., an XSS string that exfiltrates session cookies). The payload is stored in the supplier record and later rendered without encoding to another authenticated user - such as a pharmacist or administrator - who views the supplier list, triggering the script execution in their browser context. …
Remediation No vendor-released patch has been identified at time of analysis - the CVSS remediation level is not defined (RL:X) and no patched version is referenced in any advisory. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33618 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy