Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-27
Score: n/a
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch or Mitigate
AI Analysis

Impact

A reflected Cross‑Site Scripting flaw exists in SourceCodester Inventory System 1.0. An attacker can embed arbitrary JavaScript or HTML into the "limit" URL parameter of the view_purchase.php page, causing it to execute in the victim’s browser. This client‑side script execution can lead to session hijacking, data theft, defacement, or other malicious actions performed under the privileges of the compromised user.

Affected Systems

The vulnerability is present in SourceCodester Inventory System version 1.0. No additional version details are provided, and the flaw resides specifically in the view_purchase.php component of this application.

Risk and Exploitability

No CVSS or EPSS score is available, but the nature of a reflected XSS indicates high potential impact when a user visits a crafted URL. The attack route is remote and requires only user interaction with the malicious link; it becomes more dangerous if the user is authenticated or follows trust assumptions. The vulnerability is not listed in the CISA KEV catalog, and no public exploitation evidence is documented in the provided references.

Generated by OpenCVE AI on March 27, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a patched release of SourceCodester Inventory System is available, upgrade immediately.
  • Sanitize, validate, and properly encode the "limit" parameter before outputting it to prevent JavaScript execution.
  • Deploy a robust Content Security Policy to restrict the loading of unauthorized scripts.
  • Monitor web traffic and application logs for signs of malicious script injection or unauthorized script execution.

Generated by OpenCVE AI on March 27, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via 'limit' parameter in SourceCodester Inventory System 1.0
Weaknesses CWE-79

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T17:56:00.849Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30568

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T18:16:05.190

Modified: 2026-03-27T18:16:05.190

Link: CVE-2026-30568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:25:50Z

Weaknesses