Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_customer.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting via unsanitized msg parameter in SourceCodester Sales and Inventory System 1.0
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a remote attacker to inject arbitrary web scripts or HTML into the page returned by add_customer.php. By exploiting the unsanitized "msg" query parameter, an attacker can deliver malicious code that executes in the browsers of any user who clicks the crafted URL. This cross‑site scripting can lead to theft of user credentials, session hijacking, or defacement of the website's pages. The weakness is associated with improper neutralization of input during web page generation.

Affected Systems

SourceCodester Sales and Inventory System 1.0 is impacted. Users running this 1.0 installation are susceptible when they allow the "msg" parameter to be processed without sanitization.

Risk and Exploitability

The exploit requires only the ability to construct a URL containing malicious payloads in the "msg" parameter, making it a publicly exploitable reflected XSS. No CVSS score or EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog. Consequently, its risk is considered moderate: any user who follows a malicious link could be affected, but the attack is limited to the client side and can be mitigated with proper input handling. The likely attack vector is a simple HTTP GET request to the vulnerable endpoint.

Generated by OpenCVE AI on March 30, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official vendor patch or updated version that sanitizes the msg parameter and upgrade immediately
  • If no patch is available, implement input validation to allow only expected characters and lengths for msg
  • Apply output encoding or escaping to any data from msg before rendering it in the page
  • Consider adding a Content Security Policy header to restrict script execution from untrusted sources

Generated by OpenCVE AI on March 30, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_customer.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T18:06:53.972Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30558

cve-icon Vulnrichment

Updated: 2026-03-31T18:00:48.479Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:05.417

Modified: 2026-03-31T18:16:48.037

Link: CVE-2026-30558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:25Z

Weaknesses