Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a reflected XSS that occurs when the application accepts an unsanitized value for the ‘limit’ parameter in view_stock_availability.php. Attackers can send a crafted URL that includes malicious JavaScript or HTML, which is then rendered in the victim’s browser. This flaw allows execution of arbitrary client‑side code, enabling session hijacking, defacement, or phishing, and corresponds to CWE‑79.

Affected Systems

The affected system is the SourceCodester Sales and Inventory System 1.0, specifically the module that processes the limit query variable. The public CPE identifies the product as inventory_system version 1.0. No alternative vendors or versions are listed, so any deployment matching that version is potentially vulnerable.

Risk and Exploitability

The overall risk is moderate with a CVSS composition indicating that the issue can be triggered remotely without authentication. The EPSS figure suggests that few attacks are expected to target this flaw at present, and it is not yet in the known‑exploited list. Nevertheless, because the vulnerability requires only a malicious link, users browsing the system may have their browsers compromised, so a high‑priority patch or mitigation should be applied.

Generated by OpenCVE AI on April 6, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply latest patch if vendor releases an update that sanitizes the limit parameter.
  • If no patch, validate and sanitize the limit input so that only numeric values are accepted and enforce length limits.
  • Deploy a web application firewall rule that rejects requests containing script tags or suspicious payloads in the limit query.
  • Add a Content Security Policy header that disallows inline scripts and restricts script sources to known domains.
  • Monitor web server logs for anomalous requests and investigate any that contain potential XSS payload.

Generated by OpenCVE AI on April 6, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit parameter in Inventory System view_stock_availability

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit Parameter in Inventory System

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester inventory System
Vendors & Products Sourcecodester
Sourcecodester inventory System

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit Parameter in Inventory System
Weaknesses CWE-79

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Inventory System
Sourcecodester Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:46:40.333Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30569

cve-icon Vulnrichment

Updated: 2026-03-31T16:04:06.992Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T17:16:28.483

Modified: 2026-04-06T14:16:24.923

Link: CVE-2026-30569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:53Z

Weaknesses