Platform
php
Component
6b21cb788f7f545179286f6c44989448
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System, versions 1.0. This flaw resides within the edit-profile.php file, allowing attackers to inject malicious scripts through manipulation of the fullname argument. The vulnerability is remotely exploitable and a public proof-of-concept exists, increasing the risk of active exploitation.
Successful exploitation of CVE-2026-3766 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the application. Given the pharmacy context, sensitive patient data, including personal information and prescription details, could be compromised. The impact is amplified if the system is used to manage financial transactions, as attackers could potentially manipulate payment processes.
A public proof-of-concept (PoC) for CVE-2026-3766 is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-03-08. While the CVSS score is LOW (3.5), the potential impact on sensitive data and the availability of a PoC warrant immediate attention. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3766 is to upgrade to a patched version of SourceCodester Web-based Pharmacy Product Management System. As no fixed version is specified, contact SourceCodester directly for an updated release. In the interim, implement strict input validation and output encoding on the fullname parameter within the edit-profile.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and user access controls.
Update to a patched version of the pharmacy management system. Contact the vendor for a corrected version or apply a patch that filters the input of the 'fullname' field in the 'edit-profile.php' file to prevent XSS code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3766 is a cross-site scripting (XSS) vulnerability in SourceCodester Web-based Pharmacy Product Management System 1.0, allowing attackers to inject malicious scripts via the 'fullname' parameter.
If you are using SourceCodester Web-based Pharmacy Product Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the software. Contact SourceCodester for an updated release. Implement input validation and output encoding as an interim measure.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely and apply mitigations immediately.
Check the SourceCodester website and security forums for the latest advisory regarding CVE-2026-3766.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.