CVE-2026-30575
Published: 27 March 2026
Summary
CVE-2026-30575 is a high-severity Improper Input Validation (CWE-20) vulnerability in Senior-Walter Web-Based Pharmacy Product Management System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of input parameters such as txtqty to ensure only valid positive quantities are processed during stock addition, preventing inventory corruption from negative values.
Restricts information inputs at the application interface to valid types and ranges, such as positive integers for txtqty, blocking negative values that exploit the business logic flaw.
Generates audit records for stock addition events including input parameters, enabling detection of negative quantity submissions and subsequent inventory depletions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated web app input validation flaw directly enables remote exploitation of public-facing application (T1190) and stored data manipulation via negative quantity injection causing inventory corruption (T1565.001).
NVD Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the…
more
inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records.
Deeper analysisAI
CVE-2026-30575 is a business logic vulnerability in SourceCodester Pharmacy Product Management System 1.0, specifically within the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This flaw causes the system to decrease inventory levels instead of increasing them, resulting in inventory corruption.
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By submitting negative quantities via the vulnerable endpoint, the attacker can deplete stock records, leading to denial of service through widespread inventory corruption. The issue is linked to CWE-20 (Improper Input Validation) and CWE-1284 (Inappropriate File Operations).
A proof-of-concept demonstrating the negative quantity manipulation is available at https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddStock-NegativeQty.md. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)