Cyber Posture

CVE-2026-26704

CriticalPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26704 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection in /pharmacy/view_category.php by enforcing input validation mechanisms to reject malicious SQL payloads.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific SQL injection flaw documented in CVE-2026-26704.

SC-7 Boundary Protection partial match
preventdetect

Deploys boundary protection such as web application firewalls to inspect and block SQL injection attempts targeting the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

SQLi in public-facing web app directly maps to T1190 for initial exploitation; arbitrary queries enable direct DB data collection (T1213.006) and stored data manipulation/deletion (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_category.php.

Deeper analysisAI

CVE-2026-26704 is an SQL Injection vulnerability (CWE-89) in the sourcecodester Pharmacy Point of Sale System version 1.0, specifically affecting the /pharmacy/view_category.php component. Published on 2026-03-02T18:16:26.553, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no requirement for user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to execute arbitrary SQL queries, potentially leading to data extraction, modification, or deletion within the application's database.

A bug report detailing the vulnerability is available at https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-1.md. No official patches or mitigation guidance from vendors is referenced in the available information.

Details

CWE(s)
CWE-89

Affected Products

oretnom23
pharmacy point of sale system
1.0

CVEs Like This One

CVE-2026-26708Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26706Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26705Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26707Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-30534Same vendor: Oretnom23
CVE-2025-2654Same vendor: Oretnom23
CVE-2026-30531Same vendor: Oretnom23
CVE-2026-30533Same vendor: Oretnom23
CVE-2026-30529Same vendor: Oretnom23
CVE-2026-30532Same vendor: Oretnom23

References