CVE-2026-26708
Published: 02 March 2026
Summary
CVE-2026-26708 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection in /pharmacy/manage_user.php by validating and sanitizing untrusted user inputs before processing in database queries.
Requires timely remediation of the specific SQL injection flaw (CVE-2026-26708) in Pharmacy Point of Sale System v1.0 to eliminate the vulnerability.
Employs vulnerability scanning to identify SQL injection vulnerabilities like CVE-2026-26708 in web application endpoints such as /pharmacy/manage_user.php.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web app component directly enables remote exploitation (T1190); arbitrary query execution facilitates direct access to database contents (T1213.006).
NVD Description
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
Deeper analysisAI
CVE-2026-26708 is a SQL injection vulnerability (CWE-89) affecting sourcecodester Pharmacy Point of Sale System version 1.0, specifically in the /pharmacy/manage_user.php component. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8, rated critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows arbitrary SQL query execution, potentially enabling full database compromise, including data exfiltration, modification, deletion, or execution of administrative operations depending on database privileges.
For mitigation details, refer to the advisory in the provided reference: https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-5.md. No patches or vendor-specific fixes are detailed in available information.
Details
- CWE(s)