Plateforme
php
Composant
6b21cb788f7f545179286f6c44989448
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System, versions 1.0. This flaw resides within the edit-profile.php file, allowing attackers to inject malicious scripts through manipulation of the fullname argument. The vulnerability is remotely exploitable and a public proof-of-concept exists, increasing the risk of active exploitation.
Successful exploitation of CVE-2026-3766 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the application. Given the pharmacy context, sensitive patient data, including personal information and prescription details, could be compromised. The impact is amplified if the system is used to manage financial transactions, as attackers could potentially manipulate payment processes.
A public proof-of-concept (PoC) for CVE-2026-3766 is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-03-08. While the CVSS score is LOW (3.5), the potential impact on sensitive data and the availability of a PoC warrant immediate attention. It is not currently listed on CISA KEV.
Pharmacies and healthcare providers utilizing SourceCodester Web-based Pharmacy Product Management System version 1.0 are at direct risk. Shared hosting environments where multiple pharmacy systems reside on the same server are particularly vulnerable, as a compromise of one system could potentially lead to lateral movement and impact others.
• php / web:
grep -r 'fullname' /var/www/html/edit-profile.php | grep -i '<script' • generic web:
curl -I http://your-pharmacy-system/edit-profile.php?fullname=<script>alert(1)</script> | grep -i scriptdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3766 is to upgrade to a patched version of SourceCodester Web-based Pharmacy Product Management System. As no fixed version is specified, contact SourceCodester directly for an updated release. In the interim, implement strict input validation and output encoding on the fullname parameter within the edit-profile.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and user access controls.
Mettre à jour vers une version corrigée du système de gestion de pharmacie. Contacter le fournisseur pour obtenir une version corrigée ou appliquer un correctif qui filtre l'entrée du champ 'fullname' dans le fichier 'edit-profile.php' pour éviter l'exécution de code XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3766 is a cross-site scripting (XSS) vulnerability in SourceCodester Web-based Pharmacy Product Management System 1.0, allowing attackers to inject malicious scripts via the 'fullname' parameter.
If you are using SourceCodester Web-based Pharmacy Product Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the software. Contact SourceCodester for an updated release. Implement input validation and output encoding as an interim measure.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely and apply mitigations immediately.
Check the SourceCodester website and security forums for the latest advisory regarding CVE-2026-3766.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.