CVE-2026-30574

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0005 16.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30574 is a high-severity Improper Enforcement of Behavioral Workflow (CWE-841) vulnerability in Senior-Walter Web-Based Pharmacy Product Management System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates input validation mechanisms to enforce that the txtqty parameter does not exceed available stock, preventing the business logic overselling vulnerability.

SI-2 Flaw Remediation good match

detectrespond

Establishes processes to identify, prioritize, test, and remediate the specific code flaw in add-sales.php lacking stock quantity verification.

SI-4 System Monitoring partial match

detect

Enables real-time monitoring of sales transactions to identify indicators of overselling such as quantities exceeding stock levels.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Business logic flaw in unauthenticated public-facing web app enables remote exploitation (T1190) and direct unauthorized modification of stored inventory data via parameter manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase…

a quantity that is significantly higher than the actual available stock.

Deeper analysisAI

CVE-2026-30574 is a business logic vulnerability in the SourceCodester Pharmacy Product Management System 1.0, specifically within the add-sales.php file. The application does not verify whether the requested sales quantity parameter (txtqty) exceeds the available stock level for a product. This flaw, classified under CWE-841 (Improper Enforcement of Behavioral Workflow), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2026-03-27.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. By manipulating the txtqty parameter in a sales request, an attacker can purchase a quantity significantly higher than the actual available stock, enabling overselling scenarios that disrupt inventory management and potentially lead to financial or operational impacts through integrity violations.

A proof-of-concept demonstrating the overselling logic flaw is available at https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-Overselling.md. No official advisories or patches are referenced in the available information.