Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw found in the index.php file of SourceCodester Sales and Inventory System version 1.0. The application does not sanitize the "msg" query parameter, allowing attackers to inject arbitrary JavaScript or HTML when they visit a crafted URL. Consequently, a malicious user could execute scripts in the victim's browser, potentially stealing session cookies, defacing the site, or redirecting users to phishing pages.

Affected Systems

Affected systems are the SourceCodester Sales and Inventory System 1.0 web application, specifically the index.php handler that processes the "msg" parameter. The product is identified by the CPE string cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0. No other versions or vendors are currently listed as affected.

Risk and Exploitability

The CVSS base score of 6.1 indicates a medium impact, while the EPSS score of less than 1% suggests that very few attackers have exploited this flaw so far. The vulnerability is not catalogued in CISA’s KEV list. An attacker can trigger the flaw simply by visiting a malicious URL, meaning the attack does not require authentication or privileged access. While the likelihood of exploitation is low, the potential for client‑side compromise warrants caution, especially if users visit suspicious links.

Generated by OpenCVE AI on April 2, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SourceCodester Sales and Inventory System to a version that sanitizes the 'msg' parameter or applies output encoding.
  • If an update is not immediately possible, implement server‑side input validation and HTML encoding for the 'msg' parameter in index.php.
  • Deploy a web application firewall rule to detect and block script or HTML payloads in the 'msg' query string.
  • Instruct users to bookmark legitimate URLs and be wary of suspicious links.
  • Regularly monitor application logs for attempts to inject malicious scripts via the 'msg' parameter.

Generated by OpenCVE AI on April 2, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System via msg Parameter
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System via msg Parameter
Weaknesses CWE-79

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T18:05:38.126Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30556

cve-icon Vulnrichment

Updated: 2026-03-31T17:52:53.397Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T16:16:05.203

Modified: 2026-04-01T15:42:17.493

Link: CVE-2026-30556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:28Z

Weaknesses