Description
A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting flaw exists in the SourceCodester Inventory System 1.0. The flaw is triggered by unsanitized handling of the fullname/username argument in the users.php file. When an attacker supplies a malicious payload in this parameter, the payload is rendered and executed in the browsers of any user who visits the affected page. This enables theft of session cookies, defacement, and execution of arbitrary client‑side code, thereby compromising the confidentiality, integrity, and availability of user data.

Affected Systems

SourceCodester Inventory System 1.0. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed remotely and public exploit code is documented, suggesting that an adversary who can craft a request containing a malicious fullname/username value can trigger the vulnerability from outside the network.

Generated by OpenCVE AI on June 8, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize and properly escape all user‑supplied data for the fullname/username field before rendering it in users.php
  • Apply the latest vendor patch or update to any officially released fixed version of SourceCodester Inventory System
  • Implement content‑security‑policy headers that restrict the execution of inline scripts and disallow loading of external scripts

Generated by OpenCVE AI on June 8, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
Title SourceCodester Inventory System User Management users.php cross site scripting
First Time appeared Sourcecodester
Sourcecodester inventory System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:sourcecodester:inventory_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester inventory System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T15:43:59.841Z

Reserved: 2026-06-07T16:01:19.606Z

Link: CVE-2026-11518

cve-icon Vulnrichment

Updated: 2026-06-08T15:43:47.764Z

cve-icon NVD

Status : Received

Published: 2026-06-08T15:16:43.420

Modified: 2026-06-08T15:16:43.420

Link: CVE-2026-11518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:00:14Z

Weaknesses