Platform
php
Component
6b21cb788f7f545179286f6c44989448
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System, versions 1.0. This flaw resides within the edit-profile.php file, allowing attackers to inject malicious scripts through manipulation of the fullname argument. The vulnerability is remotely exploitable and a public proof-of-concept exists, increasing the risk of active exploitation.
Successful exploitation of CVE-2026-3766 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the application. Given the pharmacy context, sensitive patient data, including personal information and prescription details, could be compromised. The impact is amplified if the system is used to manage financial transactions, as attackers could potentially manipulate payment processes.
A public proof-of-concept (PoC) for CVE-2026-3766 is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-03-08. While the CVSS score is LOW (3.5), the potential impact on sensitive data and the availability of a PoC warrant immediate attention. It is not currently listed on CISA KEV.
Pharmacies and healthcare providers utilizing SourceCodester Web-based Pharmacy Product Management System version 1.0 are at direct risk. Shared hosting environments where multiple pharmacy systems reside on the same server are particularly vulnerable, as a compromise of one system could potentially lead to lateral movement and impact others.
• php / web:
grep -r 'fullname' /var/www/html/edit-profile.php | grep -i '<script' • generic web:
curl -I http://your-pharmacy-system/edit-profile.php?fullname=<script>alert(1)</script> | grep -i scriptdisclosure
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-3766 is to upgrade to a patched version of SourceCodester Web-based Pharmacy Product Management System. As no fixed version is specified, contact SourceCodester directly for an updated release. In the interim, implement strict input validation and output encoding on the fullname parameter within the edit-profile.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and user access controls.
Werk bij naar een gepatchte versie van het farmacie product management systeem. Neem contact op met de leverancier voor een gecorrigeerde versie of pas een patch toe die de invoer van het veld 'fullname' in het bestand 'edit-profile.php' filtert om de uitvoering van XSS code te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3766 is a cross-site scripting (XSS) vulnerability in SourceCodester Web-based Pharmacy Product Management System 1.0, allowing attackers to inject malicious scripts via the 'fullname' parameter.
If you are using SourceCodester Web-based Pharmacy Product Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the software. Contact SourceCodester for an updated release. Implement input validation and output encoding as an interim measure.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely and apply mitigations immediately.
Check the SourceCodester website and security forums for the latest advisory regarding CVE-2026-3766.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.