CVE-2026-30573
Published: 01 April 2026
Summary
CVE-2026-30573 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Senior-Walter Web-Based Pharmacy Product Management System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of inputs like txtprice and txttotalcost to reject invalid negative values, preventing business logic manipulation in sales transactions.
Enforces restrictions on input quantities and types, such as requiring positive numeric values only for price and total cost fields to block negative submissions.
Mandates identification and correction of the specific input validation flaw in add-sales.php, eliminating the vulnerability at its source.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing web app logic flaw enables unauthenticated network exploitation (T1190) to directly corrupt stored financial/sales records via negative value injection (T1565.001).
NVD Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for sales transactions. This…
more
leads to incorrect financial calculations, corruption of sales reports, and potential financial loss.
Deeper analysisAI
CVE-2026-30573 is a business logic vulnerability in SourceCodester Pharmacy Product Management System 1.0, located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for sales transactions. This flaw results in incorrect financial calculations, corruption of sales reports, and potential financial loss. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-1284: Improper Validation of Specified Quantity in Input.
An unauthenticated attacker with network access can exploit this vulnerability at low complexity without requiring user interaction. By injecting negative values into the price or total cost fields during sales submission, the attacker manipulates transaction records, distorting financial data and sales reports to create inaccuracies that could lead to organizational financial loss.
A proof-of-concept exploit is documented at https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-NegativePrice.md. No vendor advisories or patches are referenced in the CVE details.
Details
- CWE(s)