Medium severity6.3NVD Advisory· Published Apr 29, 2026· Updated Apr 29, 2026

CVE-2026-7392

Description

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in delete_supplier action.

Vulnerability

A SQL injection vulnerability exists in the delete_supplier function of the SourceCodester Pharmacy Sales and Inventory System version 1.0. The flaw occurs in the /ajax.php?action=delete_supplier endpoint where the id parameter is directly concatenated into SQL queries without sanitization [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending a crafted POST request with a malicious id parameter. No prior authentication or special network position is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, potentially leading to unauthorized database access, data leakage, data modification, and full control of the database server, which could compromise the entire application [1].

Mitigation

As of the publication date, no official patch has been released. Users are advised to implement input validation or switch to parameterized queries to prevent SQL injection. The vendor's site provides the source code, but no fix is available [1]. The exploit details have been publicly disclosed, increasing the risk of active attacks.

References

sourcecodester Pharmacy Sales and Inventory System Project V1.0 /ajax.php?action=delete_supplier SQL injection

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Microwaveabi/Vulreferences
Sourcecodester/Pharmacy Sales and Inventory Systemllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-7392

Credits

M(
microwave (VulDB User)
reporter