プラットフォーム
php
コンポーネント
6b21cb788f7f545179286f6c44989448
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System, versions 1.0. This flaw resides within the edit-profile.php file, allowing attackers to inject malicious scripts through manipulation of the fullname argument. The vulnerability is remotely exploitable and a public proof-of-concept exists, increasing the risk of active exploitation.
Successful exploitation of CVE-2026-3766 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the application. Given the pharmacy context, sensitive patient data, including personal information and prescription details, could be compromised. The impact is amplified if the system is used to manage financial transactions, as attackers could potentially manipulate payment processes.
A public proof-of-concept (PoC) for CVE-2026-3766 is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-03-08. While the CVSS score is LOW (3.5), the potential impact on sensitive data and the availability of a PoC warrant immediate attention. It is not currently listed on CISA KEV.
Pharmacies and healthcare providers utilizing SourceCodester Web-based Pharmacy Product Management System version 1.0 are at direct risk. Shared hosting environments where multiple pharmacy systems reside on the same server are particularly vulnerable, as a compromise of one system could potentially lead to lateral movement and impact others.
• php / web:
grep -r 'fullname' /var/www/html/edit-profile.php | grep -i '<script' • generic web:
curl -I http://your-pharmacy-system/edit-profile.php?fullname=<script>alert(1)</script> | grep -i scriptdisclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3766 is to upgrade to a patched version of SourceCodester Web-based Pharmacy Product Management System. As no fixed version is specified, contact SourceCodester directly for an updated release. In the interim, implement strict input validation and output encoding on the fullname parameter within the edit-profile.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and user access controls.
薬局製品管理システムのパッチバージョンにアップデートしてください。修正されたバージョンを入手するためにベンダーに連絡するか、'edit-profile.php' ファイルの 'fullname' フィールドへの入力をフィルタリングするパッチを適用して、XSS コードの実行を防いでください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3766 is a cross-site scripting (XSS) vulnerability in SourceCodester Web-based Pharmacy Product Management System 1.0, allowing attackers to inject malicious scripts via the 'fullname' parameter.
If you are using SourceCodester Web-based Pharmacy Product Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the software. Contact SourceCodester for an updated release. Implement input validation and output encoding as an interim measure.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely and apply mitigations immediately.
Check the SourceCodester website and security forums for the latest advisory regarding CVE-2026-3766.