SQL Injection Found in Pharmacy Sales and Inventory System

The National Vulnerability Database (NVD) recently disclosed CVE-2026-6189, detailing a high-severity SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System version 1.0. This isn’t just a theoretical flaw; it’s a critical remote exploit that could allow unauthenticated attackers to manipulate database queries.

According to the NVD, the vulnerability resides within an unspecified function of the /ajax.php?action=login file. By tampering with the Username argument during a login attempt, an attacker can trigger the SQL injection. The CVSSv3.1 score clocks in at 7.3, putting it firmly in the ‘High’ severity bracket, primarily due to its network-exploitable nature and the fact that no privileges or user interaction are required. The kicker? The exploit is already public, meaning script kiddies and seasoned adversaries alike could be leveraging this in the wild. This is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) scenario, often coupled with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).