CVE-2026-26705
Published: 02 March 2026
Summary
CVE-2026-26705 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires comprehensive input validation at the application layer, directly preventing SQL injection by rejecting malicious payloads in endpoints like /pharmacy/view_product.php.
SI-2 mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability through patching or code remediation.
RA-5 requires regular vulnerability scanning that detects SQL injection flaws like CVE-2026-26705 and subsequent remediation to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web endpoint (/view_product.php) directly enables remote exploitation of the application for initial access and arbitrary DB operations leading to system compromise.
NVD Description
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_product.php.
Deeper analysisAI
CVE-2026-26705 is a SQL injection vulnerability (CWE-89) affecting sourcecodester Pharmacy Point of Sale System version 1.0, specifically in the /pharmacy/view_product.php component. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious SQL payloads into the vulnerable endpoint, the attacker can achieve arbitrary database operations, including reading sensitive data, modifying records, or executing administrative commands, potentially leading to full system compromise.
Details on the vulnerability, including a proof-of-concept, are documented in a GitHub bug report at https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-2.md, which security practitioners should review for reproduction steps and potential workarounds, as no vendor patches are referenced in available information.
Details
- CWE(s)