CVE-2026-10247

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. The flaw resides in the create_generic_name function of the file /ShowForm/create_generic_name/main. The generic_name parameter is echoed directly to the web page without proper sanitization or output encoding, allowing injection of arbitrary HTML and JavaScript. No authentication is required to reach the vulnerable endpoint [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the /ShowForm/create_generic_name/main endpoint with a malicious payload in the generic_name parameter. For example, the payload `` demonstrates the ability to execute JavaScript. The exploit requires no prior authentication or special privileges, and the attacker only needs network access to the target system. The proof-of-concept code has been publicly disclosed [1].

Impact

Successful exploitation allows an attacker to execute arbitrary script code in the context of a victim's browser when the victim views the affected page. This can lead to theft of cookies, session tokens, or other sensitive information, impersonation of the victim, defacement of web pages, redirection to malicious sites, and potential control of the victim's browser. The impact is limited to the browser session and does not directly compromise the server [1].

Mitigation

As of the publication date (2026-06-01), no official patch has been released for SourceCodester Pharmacy Sales and Inventory System 1.0. The vendor has not responded to the disclosure. Mitigation requires manually sanitizing all user-supplied input in the generic_name parameter, implementing output encoding, or applying web application firewall (WAF) rules to block XSS payloads. Users should consider migrating to a supported or rewritten solution if the vendor does not provide a fix [1].