SourceCodester Pharmacy System XSS Flaw CVE-2026-8136 Published

Executive Summary

A stored cross-site scripting (XSS) vulnerability tracked as CVE-2026-8136 has been disclosed in SourceCodester Pharmacy Sales and Inventory System 1.0. The flaw, assigned a CVSS v3.1 base score of 3.3 (Low), resides in the /index.php?page=users endpoint and can be triggered by manipulating the Name parameter. An exploit proof-of-concept has been published on GitHub, according to an NVD listing and a disclosure report by researcher timeflies123. The vulnerability is remotely exploitable and requires no authentication, though its low severity rating reflects the limited impact of the XSS vector in the context of the application's intended deployment.

Technical Analysis

CVE-2026-8136 affects SourceCodester Pharmacy Sales and Inventory System version 1.0, a PHP-based web application commonly used by small pharmacies for inventory tracking and sales management. The vulnerability is a stored (persistent) XSS condition in the user management interface. An attacker can inject arbitrary JavaScript into the Name field when creating or editing a user record via the /index.php?page=users page. The injected script is stored server-side and executed in the browsers of any administrator or user who subsequently views the affected user list.

Because the attack is stored rather than reflected, a single injection can compromise multiple administrative sessions without requiring social engineering beyond initial access to the user management form. The published exploit code, hosted on GitHub under the timeflies123/cve repository, demonstrates the injection vector. The NVD entry confirms the attack is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs no user interaction (UI:N) for the initial injection, though the XSS payload only fires when a victim views the page.

The CVSS 3.3 score reflects the limited scope of impact: the vulnerability does not directly expose sensitive database contents or enable remote code execution. However, in a typical pharmacy environment where the application is accessible on an internal network or via VPN, an XSS payload could be used to steal session cookies, perform administrative actions on behalf of a logged-in user, or deface the management interface. The researcher's report does not indicate whether the application implements Content Security Policy (CSP) headers or output encoding, both of which would mitigate this class of attack.

SourceCodester is a known vendor of low-cost PHP scripts for small businesses. Their products frequently appear in vulnerability databases due to limited security hardening. Previous CVEs against SourceCodester applications include SQL injection and XSS flaws in similar inventory and point-of-sale systems.

Mitigations & Recommendations

Administrators running SourceCodester Pharmacy Sales and Inventory System 1.0 should immediately review the user management interface for any unauthorized entries that may indicate exploitation. Since no official patch has been released as of publication, the primary mitigation is to restrict network access to the application to trusted IP ranges only, and to implement a web application firewall (WAF) rule that blocks script tags or event handler attributes in the Name parameter. For organizations with development resources, adding server-side input validation and HTML entity encoding on the Name field before storage and display would eliminate the XSS vector entirely. Monitoring authentication logs for unexpected administrative actions is also advisable given the stored nature of the payload.