Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw in the SourceCodester Sales and Inventory System 1.0 allows an attacker to embed arbitrary JavaScript or HTML into the view_product.php page by supplying a malicious string in the limit query parameter. When a victim follows a crafted link, the unsanitized value is echoed back into the page, enabling the embedded code to execute in the victim’s browser. This can lead to cookie theft, session hijacking, unauthorized content injection, or phishing attacks against users of the application.

Affected Systems

The vulnerability exists in SourceCodester Sales and Inventory System version 1.0, specifically within the view_product.php script that accepts a limit parameter in its query string. Any deployment of that version that exposes the limit parameter is susceptible to exploitation.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity, while the EPSS score below 1 % suggests that widespread exploitation has not yet been observed. The flaw requires only a crafted URL and does not need authentication or privileged access, making it easy for an attacker to target any user who clicks a malicious link. Although it is not listed in CISA’s KEV catalog, the lack of input validation means it remains a high priority for remediation.

Generated by OpenCVE AI on April 6, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch for SourceCodester Sales and Inventory System 1.0 once it becomes available.
  • If a patch is not available, modify view_product.php so that the limit parameter accepts only numeric values and that the output is properly escaped before rendering.
  • Test the changes to confirm that the limit parameter no longer reflects unsanitized user input.
  • Consider restricting access to the view_product.php page to trusted users or enforcing a web‑application firewall rule that rejects requests containing non‑numeric limit values.

Generated by OpenCVE AI on April 6, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Inventory System via limit parameter

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Inventory System via limit parameter

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Unvalidated ‘limit’ Parameter in Inventory System

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester inventory System
Vendors & Products Sourcecodester
Sourcecodester inventory System

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Unvalidated ‘limit’ Parameter in Inventory System
Weaknesses CWE-79

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Inventory System
Sourcecodester Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:46:19.881Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30567

cve-icon Vulnrichment

Updated: 2026-03-31T16:12:17.159Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T18:16:05.083

Modified: 2026-04-06T14:16:24.757

Link: CVE-2026-30567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:50Z

Weaknesses