Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_purchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

SourceCodester Sales and Inventory System 1.0 contains a reflected XSS flaw in the add_purchase.php script where the msg parameter is echoed without filtering. An attacker can craft a URL that injects arbitrary JavaScript or HTML; when a victim clicks the link, the injected code runs in the victim’s browser context. The vulnerability allows potential theft of credentials, session hijacking, or site defacement. Based on the description, it is inferred that no authentication is required to reach the vulnerable endpoint, making exploitation trivial for unauthenticated users.

Affected Systems

The only affected version identified is SourceCodester Sales and Inventory System 1.0. The add_purchase.php endpoint is exposed to all users that can access the front‑end, and no other product versions are known to be impacted. No vendor CNA information is available for this release.

Risk and Exploitability

The exploit is remotely triggered via a crafted URL and does not require additional privileges. No EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw rests on lack of input validation, attackers can easily inject malicious payloads from any remote host. The risk includes compromise of user accounts, data exfiltration, and potential system disruption, with a high likelihood of exploitation due to its simplicity.

Generated by OpenCVE AI on March 30, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch once released
  • Modify add_purchase.php to properly validate or HTML‑encode the msg parameter before output
  • Deploy a Content‑Security‑Policy header that blocks inline scripts and restricts script sources
  • Implement a web application firewall rule to detect and block XSS payloads targeting the msg parameter
  • Conduct manual or automated testing to confirm the removal of the reflected XSS vulnerability

Generated by OpenCVE AI on March 30, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System 1.0
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_purchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T18:05:43.567Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30561

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:05.737

Modified: 2026-03-31T18:16:48.970

Link: CVE-2026-30561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:22Z

Weaknesses