The vulnerability is a reflected cross‑site scripting flaw that occurs in the Inventory System’s view_sales.php page. The application accepts a "limit" query parameter but does not sanitize its value, allowing an attacker to embed arbitrary JavaScript or HTML into a crafted URL. When a victim navigates to the malicious link, the embedded code executes within the victim’s browser, giving the attacker the ability to hijack sessions, deface the site, or perform other client‑side attacks.

SourceCodester Inventory System 1.0 contains the affected code in its view_sales.php file. Deployments of this version that expose the limit parameter are susceptible; any user who accesses the view_sales page with a crafted limit query will face the risk.

Because the flaw is reflected and operates purely via a URL, it can be exploited remotely when a user clicks or otherwise loads the malicious link. The official reference indicates no KEV reporting, so the vulnerability has not yet been catalogued as a known exploited incident by CISA. EPSS data is unavailable, which does not preclude potential exploitation but does not indicate a high likelihood. The CVSS score is not provided, yet the ability to run arbitrary client‑side code represents a high impact on confidentiality and integrity for the victim’s session.