SQLi Exploit Public for SourceCodester Pharmacy System

The National Vulnerability Database (NVD) has issued an advisory for CVE-2026-6187, detailing a high-severity SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System version 1.0. This isn’t some theoretical flaw; the NVD explicitly states the exploit is public, meaning threat actors can and likely will be leveraging this in the wild.

The vulnerability stems from improper handling of the ID argument within the /ajax.php?action=chk_prod_availability file. Manipulating this parameter allows for remote SQL injection, a classic but still highly effective attack vector. A successful exploit could lead to unauthorized access to sensitive data, database manipulation, or even full system compromise, depending on the privileges of the affected database user.

Rated with a CVSSv3.1 score of 7.3, this flaw is categorized under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Different Context) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)). This is a critical reminder that even seemingly simple web applications can harbor dangerous vulnerabilities, especially when proper input validation is overlooked.