CVE-2026-7550
Published: 01 May 2026
Summary
CVE-2026-7550 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7550 is a SQL injection vulnerability (CWE-74, CWE-89) affecting SourceCodester Pharmacy Sales and Inventory System 1.0. The flaw resides in an unknown function within the file /ajax.php?action=save_customer, where manipulation of the ID argument enables SQL injection.
Attackers can exploit this vulnerability remotely without authentication or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated remote actors require only low attack complexity to achieve limited impacts on confidentiality, integrity, and availability.
VulDB advisories (https://vuldb.com/vuln/360360) and a related GitHub issue (https://github.com/khairulazly760530-cell/cves/issues/2) detail the vulnerability, noting that the exploit has been publicly disclosed and may be used. Practitioners should review the vendor's site (https://www.sourcecodester.com/) for any patches or mitigations, as none are specified in the initial reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26476
Vulnerability details
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected is an unknown function of the file /ajax.php?action=save_customer. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a web application (ajax.php endpoint) directly enables exploitation of a public-facing application for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation of the manipulable ID argument in /ajax.php?action=save_customer before database queries.
SI-2 mandates identification, reporting, and correction of the specific SQL injection flaw in the Pharmacy Sales and Inventory System.
RA-5 requires vulnerability scanning that would identify the publicly disclosed SQL injection in CVE-2026-7550 for subsequent remediation.