Medium severity4.3NVD Advisory· Published Apr 28, 2026· Updated Apr 29, 2026

CVE-2026-7200

Description

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to reflected XSS via the 'id' parameter in /index.php?page=types, allowing remote attackers to execute arbitrary scripts without authentication.

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The flaw resides in the /index.php?page=types file, where the id parameter is directly output to the web page without proper validation or encoding. This lack of sanitization enables attackers to inject arbitrary HTML and JavaScript code, which is then executed in the victim's browser [1].

Exploitation

Prerequisites

Exploitation does not require authentication or special privileges. An attacker can craft a malicious URL containing a script payload in the id parameter and trick a victim into clicking it. The vulnerability is remotely exploitable, and a proof-of-concept (PoC) has been published, increasing the risk of active attacks [1].

Impact

Successful exploitation allows an attacker to perform arbitrary actions in the context of the victim's session, including stealing cookies, session tokens, or other sensitive information. The attacker may also deface the web page, redirect users to malicious sites, or execute further client-side attacks, compromising user privacy and system security [1].

Mitigation

The vendor has not released an official patch at the time of writing. Users are advised to sanitize the id parameter and apply proper output encoding until a fix is available. Given the public exploit, this vulnerability warrants immediate attention to prevent potential attacks.

References

sourcecodester Pharmacy Sales and Inventory System Project V1.0 /index.php?page=types cross site scripting

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7200

Credits

Z(
zhuque (VulDB User)
reporter