CVE-2026-7126: SQL Injection in Pharmacy Sales and Inventory System
The National Vulnerability Database has disclosed CVE-2026-7126, a critical SQL injection vulnerability found in SourceCodester Pharmacy Sales and Inventory System version 1.0. This flaw resides within the /ajax.php?action=save_category file, specifically impacting an unknown argument identified as ID.
This vulnerability, rated High severity with a CVSS score of 7.3, allows for remote exploitation. Attackers can manipulate the ID argument to inject malicious SQL queries, potentially leading to unauthorized data access, modification, or even complete database compromise. The exploit code for this vulnerability has been publicly released, significantly increasing the immediate risk to affected systems.
For defenders, this is a clear and present danger. Unpatched instances of SourceCodester Pharmacy Sales and Inventory System 1.0 are now prime targets. The public availability of exploit code means opportunistic attackers don’t need advanced skills to weaponize this. The attacker’s calculus is simple: find exposed systems, use the readily available exploit, and exfiltrate sensitive data or disrupt operations.
What This Means For You
- If your organization uses SourceCodester Pharmacy Sales and Inventory System 1.0, you are directly exposed to a publicly exploited SQL injection vulnerability. Immediately identify all instances of this system in your environment. Prioritize patching or, if a patch is unavailable, isolate the system from public access and implement strict input validation at the network edge to mitigate the risk.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7126: SQL Injection in Pharmacy System ajax.php
title: CVE-2026-7126: SQL Injection in Pharmacy System ajax.php
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7126 by targeting the /ajax.php endpoint with a 'save_category' action and injecting SQL payloads into the 'ID' parameter. This is a direct detection of the initial access vector for this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7126/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/ajax.php?action=save_category'
cs-uri|contains:
- 'ID='
cs-uri-query|contains:
- "' OR 1=1 --"
cs-uri-query|contains:
- "' OR '1'='1"
cs-uri-query|contains:
- "' UNION SELECT"
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7126 | Vulnerability | CVE-2026-7126 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7138: Critical Command Injection in Totolink Routers
CVE-2026-7138 — A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setNtpCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....
Totolink Router RCE: CVE-2026-7137 Exposes Home and Small Business Networks
CVE-2026-7137 — A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI...
Totolink A8000RU Critical Command Injection Flaw (CVE-2026-7136)
CVE-2026-7136 — A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the...