Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_supplier.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-30
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the view_supplier.php handler of SourceCodester Sales and Inventory System 1.0. The flaw is triggered by the unsanitized "limit" query parameter, allowing a remote attacker to embed arbitrary HTML or JavaScript through a crafted URL. Code injected through this vector can steal session cookies, hijack user sessions, deface the site, or redirect victims to malicious pages, exploiting the weakness identified as CWE‑79.

Affected Systems

The vulnerability affects SourceCodester Sales and Inventory System version 1.0 where the view_supplier module processes the "limit" parameter. This is the only affected product noted in the advisory.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. Because exploitation requires a victim to click a malicious link, the attack vector is likely unprivileged web‑based with network access. The EPSS score is not published, and the issue is not currently listed in CISA’s KEV catalog, implying no known active exploitation. Nonetheless, given the widespread use of reflected XSS for credential theft and defacement, the risk level remains significant for exposed web applications.

Generated by OpenCVE AI on March 30, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the latest supported release if a patch is available.
  • Apply output encoding or sanitization to the "limit" parameter in view_supplier.php.
  • Deploy a web application firewall rule to detect and block reflected XSS payloads on the "limit" query string.
  • Audit other input fields in the application for similar sanitization gaps.

Generated by OpenCVE AI on March 30, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via 'limit' Parameter in View Supplier

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_supplier.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T15:30:34.724Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30565

cve-icon Vulnrichment

Updated: 2026-03-30T15:30:29.871Z

cve-icon NVD

Status : Received

Published: 2026-03-30T15:16:26.710

Modified: 2026-03-30T16:16:06.270

Link: CVE-2026-30565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:32Z

Weaknesses