Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-27
Score: n/a
EPSS: n/a
KEV: No
Impact: Cross‑site scripting allows execution of arbitrary scripts in a victim’s browser
Action: Patch Immediately
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in the SourceCodester Inventory System 1.0, located in the view_product.php file via the ‘limit’ query parameter. The application fails to sanitize the input, allowing a remote attacker to construct a URL that injects malicious JavaScript or HTML. When a user opens the crafted link, the injected code runs in the context of the website, which could lead to defacement, credential theft, or session hijacking.

Affected Systems

The affected product is the SourceCodester Inventory System, version 1.0, implemented in PHP. The flaw resides in the view_product.php script that processes the ‘limit’ parameter. No other versions or deployments are documented as vulnerable in the provided material.

Risk and Exploitability

The flaw allows remote exploitation without authentication. Any user who clicks the malicious link is at risk, as the attacker can inject arbitrary client‑side code. Although no CVSS score is supplied, reflected XSS vulnerabilities are typically considered high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the potential for widespread exploitation remains because the trigger requires only a visit to a crafted URL.

Generated by OpenCVE AI on March 27, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of the view_product.php file that properly validates or sanitizes the ‘limit’ parameter or apply a vendor patch if available.
  • Encode all user‑controlled data before rendering it in HTML contexts, for example using htmlspecialchars() with ENT_QUOTES and UTF-8.
  • Verify the fix by testing the view_product.php endpoint with benign and malicious inputs.

Generated by OpenCVE AI on March 27, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Unvalidated ‘limit’ Parameter in Inventory System
Weaknesses CWE-79

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T17:57:38.181Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30567

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T18:16:05.083

Modified: 2026-03-27T18:16:05.083

Link: CVE-2026-30567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:25:52Z

Weaknesses