Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_stock.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: Reflected XSS allowing arbitrary script execution in user browsers
Action: Apply Patch
AI Analysis

Impact

The SourceCodester Sales and Inventory System 1.0 suffers from a reflected cross‑site scripting vulnerability located in the add_stock.php file. The msg parameter is not sanitized, enabling attackers to inject arbitrary JavaScript or HTML that is rendered on the victim’s browser. A malicious link could execute code with the privileges of the user who visits it, leading to session hijacking, credential theft, or defacement. This flaw maps to CWE‑79 and carries a CVSS score of 9.3, indicating a high risk to confidentiality, integrity and availability from a client‑side execution angle.

Affected Systems

Only the SourceCodester Sales and Inventory System version 1.0 is affected. No other vendors or product versions are listed. Users running this specific version of the software without a patch are at risk.

Risk and Exploitability

The vulnerability is exploitable remotely via a crafted URL that contains the malicious payload in the msg parameter. No authentication is required, and the entry point is typically accessible to all users, making the attack vector highly feasible. Although no official KEV listing or EPSS score is available, the high CVSS of 9.3 reflects the potential for significant damage if an attacker compromises a user’s browser. Administrators should consider this flaw high‑risk, especially in environments where the add_stock.php endpoint is publicly exposed.

Generated by OpenCVE AI on March 30, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a non‑vulnerable release of SourceCodester Sales and Inventory System.
  • If an immediate patch is not available, modify add_stock.php to sanitize or properly encode the msg parameter before echoing it back to the browser.
  • Enforce a strict Content Security Policy that blocks inline scripts and disallows unsafe‑inline execution.
  • Monitor web traffic for suspicious URLs containing injected scripts and implement blocking for repeated malicious requests.
  • Inform end‑users to avoid clicking untrusted links that point to the add_stock.php endpoint.

Generated by OpenCVE AI on March 30, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via msg Parameter in SourceCodester Sales and Inventory System

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_stock.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T18:13:15.980Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30562

cve-icon Vulnrichment

Updated: 2026-03-30T18:13:00.510Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:05.840

Modified: 2026-03-30T19:16:25.377

Link: CVE-2026-30562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:21Z

Weaknesses