CVE-2026-7194: SourceCodester Pharmacy System SQL Injection Publicly Exploitable

The National Vulnerability Database has disclosed CVE-2026-7194, a high-severity SQL injection vulnerability affecting SourceCodester Pharmacy Sales and Inventory System version 1.0. This flaw resides in the /ajax.php?action=save_product file, where manipulating the ID argument allows for remote SQL injection. The critical concern here is that an exploit for this vulnerability has been made publicly available, significantly lowering the bar for attackers.

This isn’t a complex zero-day; it’s a straightforward SQLi that attackers can now weaponize with minimal effort. The CVSS score of 7.3 (HIGH) reflects the remote attack vector (AV:N) and the potential for partial confidentiality, integrity, and availability impacts (C:L/I:L/A:L). While specific affected products beyond version 1.0 aren’t detailed, any organization running this system should assume compromise is trivial.

Defenders need to recognize that public exploits transform theoretical risks into immediate threats. Attackers don’t need to be sophisticated; they just need to find exposed instances. This vulnerability, categorized under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Web Page) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), points to fundamental input validation failures. It’s a reminder that basic web application security hygiene remains paramount.