CVE-2026-26707
Published: 02 March 2026
Summary
CVE-2026-26707 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26707 is an SQL Injection vulnerability (CWE-89) in the sourcecodester Pharmacy Point of Sale System version 1.0, specifically affecting the /pharmacy/view_supplier.php component. Published on 2026-03-02T18:16:26.903, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, enabling arbitrary SQL query execution such as data exfiltration, modification, or deletion from the underlying database.
Further technical details, including proof-of-concept exploitation steps, are documented in the referenced advisory at https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-4.md. No specific patches or mitigation guidance are detailed in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9221
Vulnerability details
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network-accessible SQL injection in a web application component (view_supplier.php) directly enables exploitation of public-facing applications for initial access and subsequent database impact (exfil/modify/delete).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user inputs to /pharmacy/view_supplier.php, directly preventing SQL injection payloads from being executed in database queries.
Mandates identification, prioritization, and correction of the specific SQL injection flaw in Pharmacy Point of Sale System v1.0.
Vulnerability scanning detects the SQLi vulnerability in view_supplier.php, enabling risk-based remediation before exploitation.