CVE-2026-10245
Description
A stored XSS vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 via the company_name parameter in create_supplier allows remote unauthenticated attackers to execute arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 via the company_name parameter in create_supplier allows remote unauthenticated attackers to execute arbitrary scripts.
Vulnerability
Stored Cross-Site Scripting (XSS) exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. The function create_supplier in the file /ShowForm/create_supplier/main does not properly sanitize the company_name parameter before outputting it to the web page, allowing injection of arbitrary HTML and JavaScript [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By sending a crafted request to the vulnerable endpoint with malicious script code as the company_name parameter, the payload is stored and executed in the browser of any administrator or user who views the supplier list [1].
Impact
Successful exploitation allows the attacker to steal cookies, session tokens, or other sensitive information, perform actions on behalf of the victim, deface web pages, redirect users to malicious sites, or gain control of the victim's browser [1].
Mitigation
As of the publication date (2026-06-01), no official patch has been released. The vendor has not responded to the disclosure. Users should sanitize and encode all user inputs before output, using proper escaping functions. Consider disabling the vulnerable script or implementing input validation as a workaround [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application outputs the `company_name` parameter directly to the web page without encoding or filtering, allowing injection of arbitrary script code."
Attack vector
An attacker sends a crafted HTTP request to `/ShowForm/create_supplier/main` with a malicious payload in the `company_name` parameter, such as `<script>alert(/xss/);</script>` [ref_id=1]. The application reflects this input unsanitized into the HTML page, causing the script to execute in the victim's browser. The advisory states that no login or authorization is required to exploit this vulnerability [ref_id=1]. This is a classic stored/reflected Cross-Site Scripting (XSS) flaw.
Affected code
The vulnerability resides in the file `/ShowForm/create_supplier/main` of the SourceCodester Pharmacy Sales and Inventory System 1.0. The function `create_supplier` outputs the `company_name` parameter directly to the web page without encoding or filtering [ref_id=1].
What the fix does
The advisory recommends output encoding, input validation and filtering, implementing a Content Security Policy (CSP), and setting secure/HttpOnly flags on cookies [ref_id=1]. No official patch is provided in the bundle; the vendor has not released a fix. Applying these mitigations would prevent the injection and execution of arbitrary script code by treating user input as plain text rather than executable code.
Preconditions
- networkAttacker must be able to send HTTP requests to the vulnerable endpoint /ShowForm/create_supplier/main
- authNo authentication required per the advisory
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.