CVE-2026-10248

An attacker must first log in to the system, then navigate to the supplier creation form at `/ShowForm/create_supplier/main` and inject a formula payload (e.g., `=1+1` or `=HYPERLINK(...)`) into fields like Address or Company Name. When an administrator exports the supplier list to CSV via `/Export_csv/export` and opens the file in a spreadsheet application (e.g., WPS Spreadsheet or Microsoft Excel), the injected formula is interpreted and executed, enabling data exfiltration, phishing, or arbitrary command execution [ref_id=1].

The vulnerability resides in the `/Export_csv/export` endpoint of the SourceCodester Pharmacy Sales and Inventory System V1.0. The `create_supplier` function writes user-supplied fields (Address, Company Name, Mobile, Previous Due) into a CSV file without sanitizing formula-triggering characters such as `=`, `+`, `-`, `@` [ref_id=1].

The advisory recommends sanitizing CSV output by prefixing dangerous characters with a single quote or tab, blocking formula-triggering characters (`=`, `+`, `-`, `@`, `|`, `%`) before writing, and setting secure Content-Type headers. No official patch has been published by the vendor; the suggested repairs involve escaping cell values so that spreadsheet applications treat them as plain text rather than executable formulas [ref_id=1].

Step 1: Login to the system and navigate to supplier creation page at `http://localhost/ci_pms/index.php/ShowForm/create_supplier/main`. Step 2: Inject formula payload in the 'Address' field (e.g., `=1+1`). Step 3: Click 'Create' to save the supplier. Step 4: Navigate to the supplier list and click 'Export to CSV'. Step 5: Open the exported CSV file in WPS Spreadsheet. Step 6: Observe that the Address cell displays '2' instead of the literal string `=1+1`, confirming formula injection [ref_id=1].