{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30574", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T19:09:43.443Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T16:19:20.737Z"}, "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-Overselling.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-841", "lang": "en", "description": "CWE-841 Improper Enforcement of Behavioral Workflow"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:08:53.188601Z", "id": "CVE-2026-30574", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:09:43.443Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30574", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:08:53.188601Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-841", "description": "CWE-841 Improper Enforcement of Behavioral Workflow"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:08:03.012Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-Overselling.md"}], "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T16:19:20.737Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30574", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:09:43.443Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:senior-walter:web-based_pharmacy_product_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DB2DA030-DE10-4DA9-86D7-3E3E9A22DABC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock."}], "id": "CVE-2026-30574", "lastModified": "2026-03-31T18:03:28.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-27T17:16:28.823", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-Overselling.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-841"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pharmacy_product_management_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-31T19:45:15.424484+00:00", "value": {"mitigation_remediation": ["Implement server\u2011side validation to ensure the sale quantity does not exceed available stock before recording the transaction.", "Patch or update the add\u2011sales.php file to include the stock check, or apply any vendor\u2011issued security patch if released.", "Block or throttle requests that submit unusually large quantities using a web application firewall or custom rules.", "Monitor sales logs for anomalies and verify inventory integrity regularly.", "If a patch is not yet available, restrict user access to the sales submission form until a fix is deployed."], "summary": {"action": "Validate Input", "impact": "Unauthorized Overselling and Inventory Drain"}, "threat_synthesis": {"affected_systems": "The flaw affects the SourceCodester Pharmacy Product Management System, version 1.0. As described, the product name is Web-based Pharmacy Product Management System. The CPE indicates version 1.0, so any instance deploying this exact build is vulnerable unless patched.", "description_and_impact": "The vulnerability is a business logic flaw in the SourceCodester Pharmacy Product Management System where the add-sales.php script does not verify that the quantity requested by the customer does not exceed the stock available. This allows an attacker to alter the txtqty parameter in a request and purchase far more units than exist, resulting in inventory shortfall, potential financial loss and customer dissatisfaction. The flaw is a direct application of Business Logic Error (CWE-841).", "risk_and_exploitability": "The CVSS score of 7.5 places the vulnerability in the high severity range. However, the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, achievable through manipulation of the HTTP request to add-sales.php by any user who can submit a sales form. The impact could be significant for businesses relying on accurate inventory counts and revenue reporting."}}}}, "created": "2026-03-27T20:28:57.745883+00:00", "updated": "2026-03-31T20:01:23.337490+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$pharmacy_product_management_system"]}