平台
php
组件
6b21cb788f7f545179286f6c44989448
修复版本
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System, versions 1.0. This flaw resides within the edit-profile.php file, allowing attackers to inject malicious scripts through manipulation of the fullname argument. The vulnerability is remotely exploitable and a public proof-of-concept exists, increasing the risk of active exploitation.
Successful exploitation of CVE-2026-3766 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the application. Given the pharmacy context, sensitive patient data, including personal information and prescription details, could be compromised. The impact is amplified if the system is used to manage financial transactions, as attackers could potentially manipulate payment processes.
A public proof-of-concept (PoC) for CVE-2026-3766 is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-03-08. While the CVSS score is LOW (3.5), the potential impact on sensitive data and the availability of a PoC warrant immediate attention. It is not currently listed on CISA KEV.
Pharmacies and healthcare providers utilizing SourceCodester Web-based Pharmacy Product Management System version 1.0 are at direct risk. Shared hosting environments where multiple pharmacy systems reside on the same server are particularly vulnerable, as a compromise of one system could potentially lead to lateral movement and impact others.
• php / web:
grep -r 'fullname' /var/www/html/edit-profile.php | grep -i '<script' • generic web:
curl -I http://your-pharmacy-system/edit-profile.php?fullname=<script>alert(1)</script> | grep -i scriptdisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3766 is to upgrade to a patched version of SourceCodester Web-based Pharmacy Product Management System. As no fixed version is specified, contact SourceCodester directly for an updated release. In the interim, implement strict input validation and output encoding on the fullname parameter within the edit-profile.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and user access controls.
升级到已修复的版本。联系供应商获取修复版本,或应用一个补丁,过滤 'fullname' 字段的输入,以防止 XSS 代码执行。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3766 is a cross-site scripting (XSS) vulnerability in SourceCodester Web-based Pharmacy Product Management System 1.0, allowing attackers to inject malicious scripts via the 'fullname' parameter.
If you are using SourceCodester Web-based Pharmacy Product Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the software. Contact SourceCodester for an updated release. Implement input validation and output encoding as an interim measure.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems closely and apply mitigations immediately.
Check the SourceCodester website and security forums for the latest advisory regarding CVE-2026-3766.