CVE-2026-7088: SQL Injection in Pharmacy System Exposes Sensitive Data
The National Vulnerability Database has identified a critical SQL injection vulnerability, CVE-2026-7088, affecting SourceCodester Pharmacy Sales and Inventory System version 1.0. This flaw resides in the /ajax.php file, specifically within the ‘save_receiving’ action. Attackers can remotely exploit this by manipulating the ‘ID’ argument, potentially leading to unauthorized data access or modification. The CVSS score of 7.3 (HIGH) underscores the severity, with a public exploit available, increasing the immediate risk to organizations running this software.
This vulnerability falls under CWE-74 and CWE-89, highlighting its nature as both an injection flaw and a specific SQL injection. The lack of specified affected products beyond the version number suggests a broad potential impact for any organization deploying this particular system. The remote and unauthenticated nature of the attack (AV:N/AC:L/PR:N/UI:N) means that any internet-facing instance is a prime target.
What This Means For You
- If your organization uses the SourceCodester Pharmacy Sales and Inventory System 1.0, you must immediately investigate and patch or isolate any instances. Given the public exploit, assume exploitation is already occurring. Audit database access logs for unusual activity related to the 'save_receiving' function.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7088: SQL Injection in Pharmacy System ajax.php
title: CVE-2026-7088: SQL Injection in Pharmacy System ajax.php
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7088 by targeting the /ajax.php script with a SQL injection payload in the 'ID' parameter. This rule specifically looks for the 'OR 1=1' pattern commonly used in basic SQL injection attacks against this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7088/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/ajax.php?action=save_receiving'
cs-uri-query|contains:
- 'ID=';
cs-uri-query|contains:
- 'OR 1=1'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7088 | SQLi | SourceCodester Pharmacy Sales and Inventory System 1.0 |
| CVE-2026-7088 | SQLi | Vulnerable file: /ajax.php?action=save_receiving |
| CVE-2026-7088 | SQLi | Vulnerable argument: ID parameter in /ajax.php?action=save_receiving |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7094: High-Severity SSRF in ShadowCloneLabs GlutamateMCPServers
CVE-2026-7094 — A vulnerability was determined in ShadowCloneLabs GlutamateMCPServers up to e2de73280b01e5d943593dd1aa2c01c5b9112f78. Affected by this issue is some unknown functionality of the file src/puppeteer/index.ts of...
CVE-2026-7093 — Code-Projects Invoice System In Laravel Vulnerability
CVE-2026-7093 — A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/...
CVE-2026-7092 — Code-Projects Invoice System In Laravel Vulnerability
CVE-2026-7092 — A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the...