CVE-2026-10246

Vulnerability

An XSS vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0, specifically in the create_medicine_presentation function located at /ShowForm/create_medicine_presentation/main. The medicine_presentation parameter is taken from user input and output directly to the web page without proper encoding or filtering, allowing injection of arbitrary script code [1]. This is a classic reflected cross-site scripting (XSS) flaw. The vulnerable version is 1.0 [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring any authentication or login [1]. The attack involves sending a crafted request containing a malicious script (e.g., a payload like `) in the medicine_presentation` parameter. When the victim visits the affected page with the malicious payload, the script executes in the context of the victim's browser [1]. No special privileges or additional user interaction beyond visiting the crafted URL is needed.

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the victim's browser. This can lead to theft of cookies, session tokens, or other sensitive information; performance of actions on behalf of the victim; defacement of web pages; or redirection to malicious sites [1]. The impact is limited to the browser session and does not directly compromise the server.

Mitigation

As of the publication date, no official patch or fixed version has been released for this vulnerability [1][2]. The vendor, SourceCodester, has not released an update addressing this issue. Users should apply input validation and output encoding for the medicine_presentation parameter as a workaround until a fix is provided. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.