Cyber Posture

CVE-2026-26707

CriticalPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26707 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user inputs to /pharmacy/view_supplier.php, directly preventing SQL injection payloads from being executed in database queries.

SI-2 Flaw Remediation good match
prevent

Mandates identification, prioritization, and correction of the specific SQL injection flaw in Pharmacy Point of Sale System v1.0.

RA-5 Vulnerability Monitoring and Scanning good match
preventdetect

Vulnerability scanning detects the SQLi vulnerability in view_supplier.php, enabling risk-based remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated network-accessible SQL injection in a web application component (view_supplier.php) directly enables exploitation of public-facing applications for initial access and subsequent database impact (exfil/modify/delete).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php.

Deeper analysisAI

CVE-2026-26707 is an SQL Injection vulnerability (CWE-89) in the sourcecodester Pharmacy Point of Sale System version 1.0, specifically affecting the /pharmacy/view_supplier.php component. Published on 2026-03-02T18:16:26.903, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, enabling arbitrary SQL query execution such as data exfiltration, modification, or deletion from the underlying database.

Further technical details, including proof-of-concept exploitation steps, are documented in the referenced advisory at https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-4.md. No specific patches or mitigation guidance are detailed in the available information.

Details

CWE(s)
CWE-89

Affected Products

oretnom23
pharmacy point of sale system
1.0

CVEs Like This One

CVE-2026-26706Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26705Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26708Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26704Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-30531Same vendor: Oretnom23
CVE-2026-30533Same vendor: Oretnom23
CVE-2026-30529Same vendor: Oretnom23
CVE-2026-30532Same vendor: Oretnom23
CVE-2026-26892Same vendor: Oretnom23
CVE-2026-30530Same vendor: Oretnom23

References