Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL
Published: 2026-03-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability is a reflected XSS located in view_sales.php, triggered by the limit parameter. The application does not encode or validate this input, allowing attackers to embed arbitrary JavaScript or HTML in a crafted URL. When a victim clicks such a URL, the malicious code runs in the victim’s browser with the privileges of the logged‑in user, potentially stealing session cookies, conducting defacement, or redirecting the user to phishing sites. The weakness corresponds to CWE‑79 and can compromise confidentiality, integrity, and availability of user data.

Affected Systems

The affected software is SourceCodester Sales and Inventory System version 1.0. No other vendors or versions are listed in the CNA data, so only this release is known to be vulnerable.

Risk and Exploitability

The CVSS score of 6.1 marks this issue as medium severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not in the CISA KEV catalog, indicating it has not yet been widely exploited in the wild. An attacker would need to lure a user to a specially crafted URL containing an unsafe limit value, which is a classic reflected XSS attack vector. Since the flaw stems from missing input sanitization, it can be exploited with minimal technical skill, but it requires user interaction to trigger the payload.

Generated by OpenCVE AI on April 6, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SourceCodester Sales and Inventory System to a version where the limit parameter is properly validated or sanitized.
  • If an upgrade is not immediately available, modify the source code to apply proper output encoding (e.g., htmlspecialchars) to the limit parameter before it is included in any HTML context.
  • Implement Content Security Policy and enable XSS protection headers (X‑Content‑Type‑Options, X‑XSS‑Protection, CSP) to mitigate the impact of any remaining XSS vectors.
  • Conduct a security scan of the application to ensure no other reflected or stored XSS flaws remain.
  • Educate users to avoid clicking suspicious URLs and enforce multi‑factor authentication to reduce the impact of session theft.

Generated by OpenCVE AI on April 6, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit Parameter in SourceCodester Sales and Inventory System 1.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit Parameter in SourceCodester Sales and Inventory System 1.0

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit parameter in Inventory System

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester inventory System
Vendors & Products Sourcecodester
Sourcecodester inventory System

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via limit parameter in Inventory System
Weaknesses CWE-79

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Inventory System
Sourcecodester Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:47:01.982Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30570

cve-icon Vulnrichment

Updated: 2026-03-31T16:05:57.881Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T17:16:28.597

Modified: 2026-04-06T14:16:25.100

Link: CVE-2026-30570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:52Z

Weaknesses