CVE-2026-7130
Published: 27 April 2026
Summary
CVE-2026-7130 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7130 is a SQL injection vulnerability (CWE-74, CWE-89) affecting SourceCodester Pharmacy Sales and Inventory System 1.0. The flaw exists in an unknown function of the file /ajax.php?action=delete_category, where manipulation of the ID argument enables SQL injection.
Remote attackers require no privileges or user interaction to exploit the vulnerability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability.
VulDB advisories document the issue and note that an exploit has been published on GitHub, making it readily usable by attackers. No specific patches or mitigations are detailed in the available references, including those from VulDB and SourceCodester.
The published exploit heightens the risk of real-world exploitation for unpatched instances of this system.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25854
Vulnerability details
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=delete_category. Executing a manipulation of the argument ID can lead to sql injection. The attack may be…
more
performed from remote. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated SQL injection in a web application endpoint (ajax.php) directly enables exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation of the manipulable ID argument in /ajax.php before database queries.
Mandates timely remediation of the identified SQL injection flaw in the Pharmacy Sales and Inventory System through patching or code correction.
Boundary protection via web application firewalls blocks SQL injection payloads targeting the vulnerable delete_category endpoint.