CVE-2026-30563 - Vulnerability Details

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the update_details.php file. The application fails to sanitize the "website" parameter provided in a POST request. This allows authenticated attackers to inject arbitrary web script or HTML that is stored in the database and executed whenever the store details page is accessed.

Published: 2026-03-30

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user to store arbitrary JavaScript or HTML in the database by submitting malicious content through the "website" input in a POST request. When the store details page is later accessed, the unsanitized data is rendered, causing the script to run in the victim’s browser. This can lead to defacement, credential theft, or other browser‑based attacks.

Affected Systems

The vulnerable product is the SourceCodester Sales and Inventory System, version 1.0. No other vendor or version details are published.

Risk and Exploitability

The base score of 6.1 indicates medium severity. Exploit probability is low, reflected by an EPSS below 1%, and the flaw is not listed among known exploited vulnerabilities. Because the attacker must first be authenticated, exposure is limited to compromised accounts, but any user who views the affected page would have the malicious payload executed, potentially affecting many users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Sourcecodester

Sales And Inventory System

80%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Sales and Inventory System to a patched version that sanitizes the website field.
If a patch is not available, modify update_details.php to escape or remove HTML and JavaScript from the input before storing it in the database.
Add a Content‑Security‑Policy header to restrict script execution and mitigate unintended script runs.

Generated by OpenCVE AI on April 2, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-UpdateDetails-website.md

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester sales And Inventory System
Vendors & Products		Sourcecodester Sourcecodester sales And Inventory System

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title	Stored XSS in SourceCodester Sales and Inventory System via Unsanitized Website Field

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ahsanriaz26gmailcom Ahsanriaz26gmailcom sales And Inventory System
CPEs		cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:::::::*
Vendors & Products		Ahsanriaz26gmailcom Ahsanriaz26gmailcom sales And Inventory System

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Stored XSS in SourceCodester Sales and Inventory System via Unsanitized Website Field

Mon, 30 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the update_details.php file. The application fails to sanitize the "website" parameter provided in a POST request. This allows authenticated attackers to inject arbitrary web script or HTML that is stored in the database and executed whenever the store details page is accessed.
References		https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-UpdateDetails-website.md

Subscriptions

Ahsanriaz26gmailcom Sales And Inventory System

Sourcecodester Sales And Inventory System

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-30T00:00:00.000Z

Updated: 2026-03-30T15:28:43.996Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30563

Vulnrichment

Updated: 2026-03-30T15:28:38.452Z

NVD

Status : Analyzed

Published: 2026-03-30T15:16:26.460

Modified: 2026-04-01T17:46:28.023

Link: CVE-2026-30563

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:11:43Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object