CVE-2026-10244
Description
A reflected XSS vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject arbitrary scripts via the medicine_name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject arbitrary scripts via the `medicine_name` parameter.
Vulnerability
The vulnerability exists in the create_medicine_name function within the file /ShowForm/create_medicine_name/main of SourceCodester Pharmacy Sales and Inventory System version 1.0. The medicine_name parameter is directly output to the web page without proper sanitization or encoding, leading to a reflected cross-site scripting (XSS) flaw. [1]
Exploitation
An attacker can exploit this by crafting a malicious request containing a script payload in the medicine_name parameter. No authentication is required, and the attack can be performed remotely. The public proof-of-concept uses `` to demonstrate script execution. When a victim accesses the vulnerable page, the injected script runs in their browser. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of cookies, session tokens, or other sensitive information, as well as performing actions on behalf of the victim, defacing web pages, or redirecting users to malicious sites. [1]
Mitigation
As of the publication date (2026-06-01), no official patch has been released by SourceCodester. Users should implement input validation and output encoding for the medicine_name parameter, or restrict access to the vulnerable file. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and output encoding of the 'medicine_name' parameter allows injection of arbitrary script code."
Attack vector
An attacker sends a crafted HTTP request to `/ShowForm/create_medicine_name/main` with a malicious payload in the `medicine_name` parameter, such as `<script>alert(/xss/);</script>` [ref_id=1]. The system outputs this input directly to the web page without encoding or filtering, causing the script to execute in the victim's browser. The attack is remote and requires low privileges, but user interaction is needed (e.g., clicking a link). This is a classic stored/reflected Cross-Site Scripting (XSS) flaw [CWE-79].
Affected code
The vulnerability is in the file `/ShowForm/create_medicine_name/main` of the SourceCodester Pharmacy Sales and Inventory System 1.0. The function `create_medicine_name` processes the `medicine_name` parameter without proper sanitization.
What the fix does
The advisory recommends output encoding of user input before rendering it to the web page, strict input validation and filtering to reject malicious content, and implementing a Content Security Policy (CSP) [ref_id=1]. No official patch is provided in the bundle. Applying these mitigations would prevent the injected script from being executed by the browser.
Preconditions
- networkThe attacker must be able to send HTTP requests to the vulnerable endpoint /ShowForm/create_medicine_name/main
- inputThe victim must interact with the crafted link or page that triggers the XSS payload
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.