Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side script execution (Cross‑Site Scripting)
Action: Immediate Patch
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in the SourceCodester Sales and Inventory System 1.0, specifically in the add_supplier.php file where the "msg" query parameter is not sanitized before being echoed back to the browser. This allows a remote attacker to supply a crafted URL that injects arbitrary web script or HTML, which the victim’s browser will execute within the context of the application, potentially enabling the attacker to run client‑side code without their Own credentials.

Affected Systems

The affected product is the SourceCodester Sales and Inventory System, version 1.0. No other vendors or versions are listed as impacted. Deployments that run this exact version are susceptible, while later or alternative version releases may not contain the flaw.

Risk and Exploitability

The CVSS score of 6.1 rates the vulnerability as moderate. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the issue is not part of CISA’s KEV catalog. The attacker merely needs to lure a user to the maliciously crafted URL; no authentication or privileged access is required to trigger the flaw.

Generated by OpenCVE AI on April 6, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied fix or upgrade to a patched version that sanitizes the "msg" parameter.
  • Implement input validation that ensures the "msg" parameter is escaped or filtered before rendering or use a strict whitelist of acceptable characters.
  • Validate the fix by running automated XSS scanners or manual tests to confirm the vulnerability is removed.
  • Monitor web traffic for unusual request patterns containing script payloads and block traffic from suspicious sources if detected.

Generated by OpenCVE AI on April 6, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in Sales and Inventory System 1.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in Sales and Inventory System 1.0

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System 1.0
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:45:42.570Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30560

cve-icon Vulnrichment

Updated: 2026-03-31T18:00:17.033Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T16:16:05.627

Modified: 2026-04-06T14:16:24.403

Link: CVE-2026-30560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:45Z

Weaknesses