Description
A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/users_handler.php of the component User Registration Endpoint. Performing a manipulation of the argument full_name results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Published: 2026-06-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw exists in the User Registration Endpoint of SourceCodester Inventory Management System, specifically when the full_name parameter is manipulated. The vulnerability allows an attacker to inject malicious scripts that can be executed in the browsers of other users who view affected pages, potentially leading to session hijacking, defacement, or theft of sensitive information. The flaw is a medium‑severity weakness with a CVSS score of 5.1 and does not have a publicly known exploit available in the CISA KEV catalog.

Affected Systems

Version 1.0 of the SourceCodester Inventory Management System, through the API handler file /api/users_handler.php, is affected. All installations that have not applied an official update or patch should be considered vulnerable.

Risk and Exploitability

The vulnerability can be triggered remotely by sending a crafted HTTP request to the full_name argument; it is therefore exploitable by adversaries with network access to the application. Although no exploit exploits have been recorded in KEV, the lack of an EPSS score indicates limited publicly available exploitation data. Nonetheless, the moderate CVSS score reflects that an attacker who can reach the endpoint could leverage client‑side script execution to compromise targeted users.

Generated by OpenCVE AI on June 29, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate and encode the full_name input before rendering it in any HTML context.
  • Enforce strict output encoding and a Content Security Policy that disallows inline script execution.
  • Deploy a web application firewall rule to block or sanitize suspicious patterns such as embedded <script> tags in the full_name parameter.

Generated by OpenCVE AI on June 29, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/users_handler.php of the component User Registration Endpoint. Performing a manipulation of the argument full_name results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Title SourceCodester Inventory Management System User Registration Endpoint users_handler.php cross site scripting
First Time appeared Sourcecodester
Sourcecodester inventory Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:sourcecodester:inventory_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester inventory Management System
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Inventory Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:57:51.853Z

Reserved: 2026-06-28T18:31:28.618Z

Link: CVE-2026-13570

cve-icon Vulnrichment

Updated: 2026-06-29T13:57:47.958Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')