CVE-2026-10248: CSV Injection in SourceCodester Pharmacy Sales and Inventory System
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
AI Analysis
Technical Summary
SourceCodester Pharmacy Sales and Inventory System up to version 1.0 contains a CSV Injection vulnerability identified as CVE-2026-10248. The flaw is located in the create_supplier function of the /Export_csv/export file, part of the Supplier Creation Interface. By manipulating the Address or Company Name fields, an attacker can inject malicious content into CSV exports. This vulnerability can be exploited remotely without user interaction and has a CVSS 4.0 base score of 5.1, indicating medium severity. No official fix or patch has been published by the vendor as of the current information.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious formulas or code into CSV files generated by the system. When these CSV files are opened by users in spreadsheet applications, the injected content could execute, potentially leading to data manipulation or further compromise. However, the impact is limited by the need for the victim to open the crafted CSV file. There is no indication of privilege escalation or direct system compromise from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when opening CSV files exported from the affected system, especially those containing supplier Address or Company Name data. Implement input validation or sanitization on these fields if possible to reduce injection risk.
CVE-2026-10248: CSV Injection in SourceCodester Pharmacy Sales and Inventory System
Description
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
CVSS v4.0
Score 5.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SourceCodester Pharmacy Sales and Inventory System up to version 1.0 contains a CSV Injection vulnerability identified as CVE-2026-10248. The flaw is located in the create_supplier function of the /Export_csv/export file, part of the Supplier Creation Interface. By manipulating the Address or Company Name fields, an attacker can inject malicious content into CSV exports. This vulnerability can be exploited remotely without user interaction and has a CVSS 4.0 base score of 5.1, indicating medium severity. No official fix or patch has been published by the vendor as of the current information.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to inject malicious formulas or code into CSV files generated by the system. When these CSV files are opened by users in spreadsheet applications, the injected content could execute, potentially leading to data manipulation or further compromise. However, the impact is limited by the need for the victim to open the crafted CSV file. There is no indication of privilege escalation or direct system compromise from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when opening CSV files exported from the affected system, especially those containing supplier Address or Company Name data. Implement input validation or sanitization on these fields if possible to reduce injection risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-31T10:15:20.424Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1d6713e29bf47b50e7329b
Added to database: 6/1/2026, 11:03:47 AM
Last enriched: 6/1/2026, 11:18:53 AM
Last updated: 6/1/2026, 6:38:30 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.