SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

On May 1, 2026, a SQL injection vulnerability, CVE-2026-7549, was disclosed in SourceCodester Pharmacy Sales and Inventory System version 1.0. The vulnerability resides in the /ajax.php?action=delete_customer endpoint, where the ID parameter is susceptible to manipulation, enabling remote attackers to inject arbitrary SQL commands. Publicly available exploit code exists, increasing the risk of exploitation. Successful exploitation can lead to unauthorized data access, modification, or deletion within the application’s database. This vulnerability is particularly concerning due to the sensitive nature of pharmacy data, potentially impacting confidentiality, integrity, and availability.

Attack Chain

1. Attacker identifies the vulnerable /ajax.php?action=delete_customer endpoint in SourceCodester Pharmacy Sales and Inventory System 1.0.
2. Attacker crafts a malicious HTTP request targeting the vulnerable endpoint.
3. The malicious request includes a manipulated ID parameter containing a SQL injection payload.
4. The application fails to properly sanitize the ID parameter before incorporating it into a SQL query.
5. The injected SQL code is executed against the application’s database.
6. The attacker gains unauthorized access to sensitive data, such as customer information, prescription details, or inventory levels.
7. The attacker may modify or delete data within the database, potentially disrupting pharmacy operations or causing data integrity issues.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-7549) can lead to the complete compromise of the SourceCodester Pharmacy Sales and Inventory System database. Attackers could potentially exfiltrate sensitive patient data, modify prescription information, or disrupt pharmacy operations by deleting critical data. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of victims and specific sectors targeted remain unknown, but any pharmacy using the affected version is potentially at risk.

Recommendation

• Apply input validation and sanitization to all user-supplied input, especially the ID parameter in /ajax.php?action=delete_customer, to prevent SQL injection (CWE-89).
• Deploy the Sigma rule “Detect SQL Injection Attempts in Pharmacy Sales System” to identify and block malicious requests targeting the vulnerable endpoint.
• Upgrade to a patched version of SourceCodester Pharmacy Sales and Inventory System that addresses CVE-2026-7549 once available.
• Monitor web server logs for suspicious activity, such as unusual requests to /ajax.php?action=delete_customer, to detect potential exploitation attempts.