Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Script Injection
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the add_sales.php module of SourceCodester Sales and Inventory System 1.0. The application echoes the value of the msg query string directly in the generated page, so an attacker can embed JavaScript or other HTML. This flaw can be used to steal credentials, deface pages, or conduct phishing attacks against other users, damaging confidentiality and integrity of user data.

Affected Systems

Only the 1.0 release of SourceCodester Sales and Inventory System is affected. No other versions or vendors have been reported to contain the flaw. The vulnerability resides in the publicly accessible web interface of the application.

Risk and Exploitability

The base CVSS score of 6.1 indicates a medium severity vulnerability, and the EPSS score of less than 1 % suggests that widespread exploitation is currently unlikely. The flaw is not listed in the CISA KEV catalog. Attackers can launch the exploit remotely by sending a crafted GET request to add_sales.php without authentication, making it trivial for anyone who can reach the application URL.

Generated by OpenCVE AI on April 6, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor‑issued patch that sanitizes or encodes the msg parameter before echoing it back to the client.
  • If no patch exists, perform input validation on the msg parameter, limiting allowed characters and enforcing a maximum length.
  • Encode any output derived from msg using a proper escaping function from the application’s language.
  • Update the web application firewall to block requests that contain JavaScript or HTML payloads in the msg parameter.
  • Monitor server logs for unexpected script injection patterns and investigate any incidents.
  • Educate end‑users to avoid clicking on suspicious links that may contain malicious script.

Generated by OpenCVE AI on April 6, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:45:25.078Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30559

cve-icon Vulnrichment

Updated: 2026-03-31T18:02:55.245Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T16:16:05.520

Modified: 2026-04-06T14:16:24.210

Link: CVE-2026-30559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:46Z

Weaknesses