Cyber Resilience

CVE-2026-26708

CriticalPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26708 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26708 is a SQL injection vulnerability (CWE-89) affecting sourcecodester Pharmacy Point of Sale System version 1.0, specifically in the /pharmacy/manage_user.php component. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8, rated critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows arbitrary SQL query execution, potentially enabling full database compromise, including data exfiltration, modification, deletion, or execution of administrative operations depending on database privileges.

For mitigation details, refer to the advisory in the provided reference: https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-5.md. No patches or vendor-specific fixes are detailed in available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in unauthenticated public-facing web app component directly enables remote exploitation (T1190); arbitrary query execution facilitates direct access to database contents (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26704Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26706Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26707Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-26705Same product: Oretnom23 Pharmacy Point Of Sale System
CVE-2026-30534Same vendor: Oretnom23
CVE-2026-30531Same vendor: Oretnom23
CVE-2026-30529Same vendor: Oretnom23
CVE-2025-2655Same vendor: Oretnom23
CVE-2026-26892Same vendor: Oretnom23
CVE-2025-2387Same vendor: Oretnom23

Affected Assets

oretnom23
pharmacy point of sale system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection in /pharmacy/manage_user.php by validating and sanitizing untrusted user inputs before processing in database queries.

prevent

Requires timely remediation of the specific SQL injection flaw (CVE-2026-26708) in Pharmacy Point of Sale System v1.0 to eliminate the vulnerability.

detect

Employs vulnerability scanning to identify SQL injection vulnerabilities like CVE-2026-26708 in web application endpoints such as /pharmacy/manage_user.php.

References