Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_purchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS) allowing execution of arbitrary code in the victim's browser session
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw located in the add_purchase.php file of SourceCodester Sales and Inventory System 1.0. Attackers can embed arbitrary JavaScript or HTML in the msg query parameter, which the application outputs without escaping. This allows malicious scripts to run in the context of a victim's browser session, potentially leading to session hijacking, cookie theft, or defacement.

Affected Systems

The flaw affects the free, open‑source Sales and Inventory System released under the SourceCodester brand, version 1.0. No official vendor or patched release is listed, so users must protect themselves until an update becomes available.

Risk and Exploitability

With a CVSS score of 6.1 and an EPSS under 1 %, the risk is moderate but still noteworthy. The attack vector is local to a victim who clicks a crafted URL, making it feasible for targeted phishing campaigns. Because it is not listed in CISA’s KEV catalog, there is no current evidence of widespread exploitation, yet the vulnerability remains actionable.

Generated by OpenCVE AI on April 6, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Escalate all user‑supplied input to output encoding or sanitize the "msg" parameter before rendering.
  • Implement a Content Security Policy to restrict execution of inline scripts and limit allowed script sources.
  • Upgrade to a patched version of SourceCodester Sales and Inventory System if one is released.
  • If no patch is available, remove or block the vulnerable endpoint from public access paths.
  • Monitor web application logs for suspicious activity and apply rate limiting on the add_purchase endpoint.

Generated by OpenCVE AI on April 6, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS Vulnerability in SourceCodester Sales and Inventory System

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS Vulnerability in SourceCodester Sales and Inventory System

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System 1.0

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Sales and Inventory System 1.0
Weaknesses CWE-79

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_purchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System
Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:45:59.893Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30561

cve-icon Vulnrichment

Updated: 2026-03-31T17:59:25.268Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T16:16:05.737

Modified: 2026-04-06T14:16:24.577

Link: CVE-2026-30561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:44Z

Weaknesses