CVE-2026-30576 identifies a business logic vulnerability in the SourceCodester Pharmacy Product Management System version 1.0, located in the add-stock.php script. The vulnerability arises because the application fails to validate the 'txtprice' and 'txttotalcost' input parameters during stock entry operations. Specifically, it allows negative values to be submitted and processed, which should normally be disallowed in financial contexts. This lack of validation permits attackers to manipulate the system’s financial records by entering negative prices or total costs, thereby corrupting inventory asset valuations and procurement cost data. Such manipulation can distort financial reporting, inventory management, and procurement processes, potentially leading to inaccurate accounting, financial losses, or fraudulent activities. The vulnerability does not require authentication or user interaction, making it easier to exploit if the attacker can access the stock entry interface. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability is a classic example of business logic flaws where improper input validation leads to financial data integrity issues rather than direct system compromise or data leakage.

The primary impact of this vulnerability is the corruption of financial records within the affected pharmacy management system. Attackers can manipulate inventory asset values and procurement costs by submitting negative financial values, which can lead to inaccurate financial statements, misinformed business decisions, and potential financial losses. Organizations relying on this system may face audit failures, regulatory compliance issues, and reputational damage if financial discrepancies are discovered. While the vulnerability does not directly compromise confidentiality or availability, the integrity of financial data is critically affected. This can also facilitate fraudulent activities such as unauthorized financial adjustments or embezzlement. The scope is limited to organizations using this specific version of the SourceCodester Pharmacy Product Management System, but the impact on affected entities can be severe, especially in healthcare environments where accurate inventory and procurement data are essential.

To mitigate this vulnerability, organizations should implement strict server-side validation to ensure that the 'txtprice' and 'txttotalcost' parameters cannot accept negative values or other invalid inputs. Input validation should be enforced regardless of any client-side checks. Additionally, a thorough audit of existing financial and inventory data should be conducted to identify and correct any corrupted records resulting from exploitation. Applying patches or updates from the vendor, if available, is critical. If no official patch exists, organizations should consider custom code fixes or input sanitization measures. Access to the stock entry interface should be restricted to authorized personnel only, and logging should be enabled to detect suspicious activities related to stock and financial data entries. Regular security reviews and business logic testing should be incorporated into the development lifecycle to prevent similar issues.