Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting flaw resides in the add_category.php file of the SourceCodester Sales and Inventory System 1.0, where the "msg" query parameter is not sanitized. An attacker can inject arbitrary HTML or JavaScript by crafting a URL that contains malicious payloads in this parameter. If a legitimate user follows such a link, the injected script runs in the user’s browser, potentially allowing cookie theft, session hijacking, or malicious redirects. The weakness is consistent with CWE‑79, which describes reflected XSS injection. The impact on confidentiality, integrity, or availability is limited to the victim’s browser session and does not compromise server‑side data directly.

Affected Systems

The vulnerability affects exclusively the SourceCodester Sales and Inventory System version 1.0, as identified by the provided CPE string. No other vendors, products, or versions are listed in the CNA data for this CVE.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate risk level. The EPSS score of less than 1% suggests that the likelihood of widespread exploitation is low, and the vulnerability is not currently catalogued in CISA’s KEV list. Exploitation requires only that a user visit a tailored URL containing the malicious "msg" parameter; no authentication or privileged access is required. The attack is achievable via a standard web browser and can be performed by anyone who can send or entice a target to click the crafted link.

Generated by OpenCVE AI on April 6, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize or encode the 'msg' query parameter in add_category.php using functions like htmlspecialchars to eliminate executable code.
  • Implement input validation or a whitelist to allow only safe strings for the 'msg' parameter.
  • Deploy a web application firewall rule that blocks suspicious payloads in the 'msg' query string.
  • Verify whether the vendor has released an updated version that addresses the issue, and upgrade if available.
  • If a patch is not immediately available, monitor user activity logs for anomalous requests containing the 'msg' parameter and consider blocking suspicious traffic.

Generated by OpenCVE AI on April 6, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System via 'msg' Parameter

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System via 'msg' Parameter
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:45:09.835Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30557

cve-icon Vulnrichment

Updated: 2026-03-31T18:02:17.132Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T16:16:05.310

Modified: 2026-04-06T14:16:23.337

Link: CVE-2026-30557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:48Z

Weaknesses