Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting allows attackers to inject arbitrary script into user browsers
Action: Update System
AI Analysis

Impact

The vulnerability is a reflected XSS flaw in the index.php file of SourceCodester Sales and Inventory System 1.0. By passing a specially crafted value in the msg query parameter, the application reflects the input unfiltered into the page, enabling a remote attacker to inject any JavaScript or HTML. This can lead to session hijacking, credential theft, or defacement of the website for users who visit the crafted URL.

Affected Systems

SourceCodester Sales and Inventory System 1.0. The flaw resides in the front‑end PHP code handling the msg parameter on the index page; no other versions or components are listed as affected.

Risk and Exploitability

The severity is moderate, with no CVSS score provided but the risk is real due to the client‑side impact. Exploitation only requires the attacker to motivate a victim to click a crafted link; no authentication or privilege escalation is needed. EPSS data is unavailable, and the vulnerability is not tracked in CISA's KEV catalog.

Generated by OpenCVE AI on March 30, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize or escape all data that reflects the msg parameter before rendering it in HTML output
  • Use a framework‑provided XSS protection library or settings if available
  • Apply updates or patches from the vendor when released
  • Verify that all user input is validated server‑side
  • Test the application with typical XSS payloads to confirm the fix

Generated by OpenCVE AI on March 30, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System via msg Parameter
Weaknesses CWE-79

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T18:05:38.126Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30556

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:05.203

Modified: 2026-03-31T18:16:47.683

Link: CVE-2026-30556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:26Z

Weaknesses