CVE-2026-5812

Vulnerability

Overview

CVE-2026-5812 is a business logic error in SourceCodester Pharmacy Product Management System 1.0, specifically in the add-sales.php file. The application does not validate that the txtqty POST parameter must be a positive integer. When a negative value is submitted, the backend logic subtracts the sold quantity from current stock (NewStock = CurrentStock - SoldQty), which results in an addition when SoldQty is negative, thereby increasing the stock level instead of decreasing it [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, as the add-sales functionality is accessible to any logged-in user (e.g., pharmacist or admin). By intercepting the HTTP POST request to add-sales.php and modifying the txtqty parameter to a negative number (e.g., -10), the attacker can artificially inflate inventory levels. The exploit has been publicly released with a proof-of-concept request [1].

Impact

Successful exploitation compromises inventory integrity, allowing attackers to artificially increase stock levels. This can lead to financial discrepancies in cost calculations and sales reports, and may bypass stock availability checks, potentially enabling further abuse of the system [1].

Mitigation

As of the publication date, no official patch has been released by SourceCodester. The vendor's website (sourcecodester.com) does not provide an update for this version [2]. Users should implement input validation to ensure txtqty is a positive integer and consider upgrading to a maintained solution.