Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross-Site Scripting
Action: Patch
AI Analysis

Impact

A source code in the add_supplier.php script accepts a msg parameter and echoes it without encoding, permitting a remote attacker to inject malicious scripts via a crafted URL. This reflected XSS allows the attacker to run arbitrary JavaScript in the victim’s browser, deface content, steal session cookies, or redirect to phishing sites, compromising confidentiality and integrity of the web application.

Affected Systems

SourceCodester Sales and Inventory System version 1.0

Risk and Exploitability

The flaw is accessible to anyone who can craft and send a request to add_supplier.php, making it remotely exploitable. While no CVSS score or EPSS data is supplied, typical reflected XSS can be triggered with a simple click on a malicious link, presenting a medium to high risk to users. No CISA KEV listing suggests no known active exploitation yet, but the absence of a patch means the issue remains open.

Generated by OpenCVE AI on March 30, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of SourceCodester Sales and Inventory System that removes the unsanitized echo of the msg parameter.
  • If an update is not immediately available, add input validation to strip or encode the msg parameter before outputting it to the page.
  • Implement a Content‑Security‑Policy header to limit executable scripts on the page as an additional defense.
  • Verify the fix by testing the add_supplier.php page with a malicious msg string, ensuring no script executes.

Generated by OpenCVE AI on March 30, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T18:05:49.178Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30560

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:05.627

Modified: 2026-03-31T18:16:48.387

Link: CVE-2026-30560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:23Z

Weaknesses