Skip to content
Threat Feed
critical advisory

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

CVE-2026-6187 is a remote SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0 via the ID parameter in /ajax.php?action=chk_prod_availability, allowing unauthenticated attackers to execute arbitrary SQL queries.

SourceCodester Pharmacy Sales and Inventory System version 1.0 is vulnerable to SQL injection via the /ajax.php?action=chk_prod_availability endpoint. The vulnerability, identified as CVE-2026-6187, allows a remote attacker to manipulate the ID argument to inject arbitrary SQL queries into the application's database. Given the public availability of the exploit, organizations using this vulnerable software are at immediate risk. Exploitation does not require authentication, making it easier to exploit and potentially leading to complete database compromise. The lack of required authentication combined with the ease of exploitation, means that any unpatched instance is at high risk of being exploited.

Attack Chain

  1. The attacker identifies an instance of SourceCodester Pharmacy Sales and Inventory System 1.0.
  2. The attacker crafts a malicious HTTP GET request targeting the /ajax.php?action=chk_prod_availability endpoint.
  3. The attacker injects SQL code into the ID parameter of the request.
  4. The vulnerable application processes the attacker-supplied SQL code without proper sanitization or validation.
  5. The injected SQL code is executed against the application's database.
  6. The attacker retrieves sensitive information from the database, such as user credentials, financial data, or inventory details.
  7. The attacker uses the obtained credentials to gain unauthorized access to the application or the underlying system.

Impact

Successful exploitation of this vulnerability can lead to complete database compromise, potentially exposing sensitive patient data, financial records, and proprietary business information. The vulnerability affects all installations of SourceCodester Pharmacy Sales and Inventory System 1.0 that have not been patched. Given the nature of the software, successful attacks could lead to significant financial losses, reputational damage, and regulatory penalties.

Recommendation

  • Apply the patch or upgrade to a secure version of SourceCodester Pharmacy Sales and Inventory System to remediate CVE-2026-6187.
  • Implement the Sigma rule Detect SQL Injection Attempt to identify potential exploitation attempts in web server logs.
  • Monitor web server logs for suspicious requests targeting the /ajax.php?action=chk_prod_availability endpoint, specifically looking for unusual characters or SQL keywords in the ID parameter.

Detection coverage 2

Detect SQL Injection Attempt

high

Detects potential SQL injection attempts by identifying SQL keywords in URI query parameters.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect Access to Sensitive Files via SQL Injection

critical

Detects attempts to access sensitive files (e.g., /etc/passwd) using SQL injection techniques.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are available on the platform. Get full rules →