CVE-2026-26708
Published: 02 March 2026
Summary
CVE-2026-26708 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Pharmacy Point Of Sale System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26708 is a SQL injection vulnerability (CWE-89) affecting sourcecodester Pharmacy Point of Sale System version 1.0, specifically in the /pharmacy/manage_user.php component. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8, rated critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows arbitrary SQL query execution, potentially enabling full database compromise, including data exfiltration, modification, deletion, or execution of administrative operations depending on database privileges.
For mitigation details, refer to the advisory in the provided reference: https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/pharmacy-point-sale-system/SQL-5.md. No patches or vendor-specific fixes are detailed in available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9205
Vulnerability details
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web app component directly enables remote exploitation (T1190); arbitrary query execution facilitates direct access to database contents (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection in /pharmacy/manage_user.php by validating and sanitizing untrusted user inputs before processing in database queries.
Requires timely remediation of the specific SQL injection flaw (CVE-2026-26708) in Pharmacy Point of Sale System v1.0 to eliminate the vulnerability.
Employs vulnerability scanning to identify SQL injection vulnerabilities like CVE-2026-26708 in web application endpoints such as /pharmacy/manage_user.php.