CVE-2026-30576
Published: 27 March 2026
Summary
CVE-2026-30576 is a high-severity Improper Input Validation (CWE-20) vulnerability in Senior-Walter Web-Based Pharmacy Product Management System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation (CWE-20) by requiring range, data type, and other validation techniques to reject negative values in txtprice and txttotalcost parameters during stock entry.
Requires timely remediation of the specific business logic flaw in add-stock.php, preventing exploitation through code fixes or patches that enforce proper validation.
Specifies audit record content to include stock entry parameters and validation outcomes, enabling detection of crafted requests with negative financial values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing web app (add-stock.php) directly enables T1190; resulting high-integrity corruption of stored inventory/financial records maps to T1565.001 Stored Data Manipulation.
NVD Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters during stock entry, allowing negative financial values to be submitted. This leads to corruption…
more
of financial records, allowing attackers to manipulate inventory asset values and procurement costs.
Deeper analysisAI
CVE-2026-30576 is a business logic vulnerability in the SourceCodester Pharmacy Product Management System 1.0, specifically within the add-stock.php file. The application does not properly validate the "txtprice" and "txttotalcost" parameters during stock entry operations, permitting the submission of negative financial values. This flaw, classified under CWE-20 (Improper Input Validation), enables corruption of financial records, allowing manipulation of inventory asset values and procurement costs. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2026-03-27.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting crafted requests with negative values to the add-stock.php endpoint, attackers can alter stock entries to reflect fictitious financial gains or losses, thereby distorting the system's inventory and cost records. The integrity impact is high, potentially leading to fraudulent accounting or financial discrepancies in pharmacy management operations.
A proof-of-concept exploit is documented in the GitHub repository at https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddStock-NegativePrice.md, which demonstrates the negative price submission technique. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)