CVE-2026-7746

Vulnerability

Details

A SQL injection vulnerability exists in SourceCodester Web-based Pharmacy Product Management System 1.0. The flaw resides in the /product_expiry/edit-admin.php file, where the id parameter is directly concatenated into SQL queries without proper sanitization or prepared statements. This root cause enables an attacker to inject malicious SQL payloads through the vulnerable parameter [1].

Exploitation

The attack is remotely exploitable, but requires an authenticated session with a valid application account. In a local test environment, the vulnerability was confirmed using sqlmap, which successfully identified the injectable parameter and demonstrated DBMS identification, database enumeration, and data extraction capabilities [1]. No special network position beyond standard remote access is needed.

Impact

An authenticated attacker can execute arbitrary SQL commands on the backend database. This allows extraction of sensitive information (e.g., user credentials, pharmacy records, inventory data), modification of database content, and potential escalation to server-side compromise depending on database permissions. The exploit is publicly available, increasing the risk of active exploitation [1].

Mitigation

As of the publication date (2026-05-04), no official patch has been released by SourceCodester. Users should implement strict input validation and parameterized queries (prepared statements) in the affected file. Additionally, applying general security best practices (e.g., least privilege for database accounts) can reduce the impact. Until a fix is available, the system remains vulnerable to authenticated SQL injection attacks [1].