CVE-2026-30575 identifies a business logic vulnerability in the SourceCodester Pharmacy Product Management System version 1.0, located in the add-stock.php script. The vulnerability arises because the application fails to validate the 'txtqty' parameter during stock entry, allowing negative values to be processed. Instead of increasing inventory when adding stock, the system processes negative quantities by decreasing the inventory count. This flawed logic can be exploited by an attacker to artificially reduce or deplete inventory records, causing corruption of stock data. The consequence is a denial of service condition where the pharmacy's inventory system becomes unreliable or unusable due to inaccurate stock levels. This can disrupt supply chain management, order fulfillment, and overall pharmacy operations. The vulnerability does not require authentication or user interaction, making it easier to exploit if the add-stock.php endpoint is accessible. No CVSS score is assigned yet, and no patches or known exploits are reported at this time. The root cause is insufficient input validation and lack of business logic checks to prevent negative stock quantities, which is a critical oversight in inventory management systems. Organizations relying on this system should prioritize validation of input parameters and implement strict business rules to ensure stock quantities cannot be negative.

The primary impact of CVE-2026-30575 is on the integrity and availability of inventory data within the affected pharmacy management system. By allowing negative stock entries, attackers can corrupt inventory records, leading to inaccurate stock levels that may cause operational disruptions. Pharmacies could face denial of service conditions where they cannot reliably track or fulfill medication orders, potentially affecting patient care and business continuity. Financial losses may occur due to inventory mismanagement, stockouts, or over-ordering. The vulnerability could also undermine trust in the system and require costly remediation efforts. Since no authentication is required, attackers with network access to the vulnerable endpoint can exploit this flaw easily, increasing the risk of widespread abuse. Although no known exploits are reported, the potential for automated attacks exists. The scope is limited to organizations using SourceCodester Pharmacy Product Management System 1.0 or similar vulnerable versions, but the impact on these entities can be significant.

To mitigate CVE-2026-30575, organizations should implement strict input validation on the 'txtqty' parameter to reject any negative values during stock entry. Business logic controls must enforce that stock quantities can only be positive or zero when adding inventory. Code review and testing should focus on all inventory-related functions to ensure no other parameters allow invalid values. If possible, restrict access to the add-stock.php endpoint to authorized personnel only, using authentication and network segmentation. Monitoring and alerting on unusual inventory adjustments, such as sudden large negative stock changes, can help detect exploitation attempts. Applying patches or updates from the vendor once available is critical. Additionally, consider implementing role-based access controls and audit logging to track inventory modifications. Training staff to recognize and report inventory anomalies can further reduce risk. Finally, conducting regular security assessments of the pharmacy management system will help identify and remediate similar logic flaws.