CVE-2026-7392

MEDIUM

SourceCodester Pharmacy Sales and Inventory System ajax.php delete_supplier sql injection

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-7392. PoCs published by microwaveabi.

AI-analyzed exploit summary This repository contains a functional SQL injection (SQLi) exploit for CVE-2026-7392, targeting a pharmacy management system. The vulnerable code is present in the `admin_class.php` file, where user input is directly interpolated into SQL queries without proper sanitization.

Description

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Exploits (1)

github WORKING POC

by microwaveabi · javascriptpoc

https://github.com/microwaveabi/pharmacy-sqli-CVE-2026-7392

View Code ZIP pw:eip

This repository contains a functional SQL injection (SQLi) exploit for CVE-2026-7392, targeting a pharmacy management system. The vulnerable code is present in the `admin_class.php` file, where user input is directly interpolated into SQL queries without proper sanitization.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Pharmacy Management System (version not specified)

No auth needed

Prerequisites: Access to the vulnerable endpoint (e.g., login or other input fields)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 30, 2026 Full analysis →

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360117 | SourceCodester Pharmacy Sales and Inventory System ajax.php delete_supplier sql injection

https://vuldb.com/vuln/360117

Signature, Permissions Required signature permissions-required

VDB-360117 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/360117/cti

Third Party Advisory third-party-advisory

Submit #803107 | sourcecodester Pharmacy Sales and Inventory System V1.0 SQL injection

https://vuldb.com/submit/803107

Exploit exploit issue-tracking

https://github.com/microwaveabi/vul/issues/2

Product product

https://www.sourcecodester.com/

Scores

CVSS v3 6.3

EPSS 0.0019

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

SourceCodester/Pharmacy Sales and Inventory System 1.0

Published Apr 29, 2026

Tracked Since Apr 29, 2026