Cyber Resilience

CVE-2026-30576

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0008 24.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30576 is a high-severity Improper Input Validation (CWE-20) vulnerability in Senior-Walter Web-Based Pharmacy Product Management System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30576 is a business logic vulnerability in the SourceCodester Pharmacy Product Management System 1.0, specifically within the add-stock.php file. The application does not properly validate the "txtprice" and "txttotalcost" parameters during stock entry operations, permitting the submission of negative financial values. This flaw, classified under CWE-20 (Improper Input Validation), enables corruption of financial records, allowing manipulation of inventory asset values and procurement costs. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2026-03-27.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting crafted requests with negative values to the add-stock.php endpoint, attackers can alter stock entries to reflect fictitious financial gains or losses, thereby distorting the system's inventory and cost records. The integrity impact is high, potentially leading to fraudulent accounting or financial discrepancies in pharmacy management operations.

A proof-of-concept exploit is documented in the GitHub repository at https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddStock-NegativePrice.md, which demonstrates the negative price submission technique. No vendor advisories or patches are referenced in the available information.

EU & UK References

Vulnerability details

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters during stock entry, allowing negative financial values to be submitted. This leads to corruption…

more

of financial records, allowing attackers to manipulate inventory asset values and procurement costs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Remote unauthenticated exploitation of public-facing web app (add-stock.php) directly enables T1190; resulting high-integrity corruption of stored inventory/financial records maps to T1565.001 Stored Data Manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30575Same product: Senior-Walter Web-Based Pharmacy Product Management System
CVE-2026-30573Same product: Senior-Walter Web-Based Pharmacy Product Management System
CVE-2026-30574Same product: Senior-Walter Web-Based Pharmacy Product Management System
CVE-2026-25126Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2026-23836Shared CWE-20
CVE-2025-12275Shared CWE-20
CVE-2025-21344Shared CWE-20
CVE-2025-43347Shared CWE-20

Affected Assets

senior-walter
web-based pharmacy product management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) by requiring range, data type, and other validation techniques to reject negative values in txtprice and txttotalcost parameters during stock entry.

prevent

Requires timely remediation of the specific business logic flaw in add-stock.php, preventing exploitation through code fixes or patches that enforce proper validation.

detect

Specifies audit record content to include stock entry parameters and validation outcomes, enabling detection of crafted requests with negative financial values.

References