Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected XSS flaw exists in the add_category.php module of SourceCodester Sales and Inventory System 1.0, allowing an attacker to inject arbitrary script or HTML through the unsanitized "msg" parameter. If successfully exploited, the injected code runs with the privileges of the victim who views the crafted page, potentially enabling session hijacking, credential theft, and defacement of the application. The vulnerability is a classic cross‑site scripting weakness, which can be used for malicious client‑side attacks without requiring elevated server permissions.

Affected Systems

The affected product is SourceCodester Sales and Inventory System, version 1.0. No other versions or modules are listed as vulnerable.

Risk and Exploitability

The CVSS metric is not provided, but the flaw allows remote exploitation via a simple crafted URL, making it highly likely to be used in the wild. No EPSS score or KEV listing is available, suggesting the vulnerability may be relatively new or underreported. The lack of an official patch means this issue remains exploitable until a fix is released or mitigated by the customer.

Generated by OpenCVE AI on March 30, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize the 'msg' parameter and apply proper output encoding in add_category.php
  • Deploy a Content Security Policy that disallows inline scripts and unsafe eval usage
  • Enable a Web Application Firewall to detect and block reflected XSS payloads
  • Monitor HTTP traffic for suspicious 'msg' parameter usage and log all such requests
  • If a patch is not available, consider disabling the add_category functionality until a fix is applied

Generated by OpenCVE AI on March 30, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System via 'msg' Parameter
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T18:06:59.338Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30557

cve-icon Vulnrichment

Updated: 2026-03-31T18:02:17.132Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:05.310

Modified: 2026-03-31T18:16:47.860

Link: CVE-2026-30557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:25Z

Weaknesses