Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-03-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote script execution via reflected XSS, enabling session hijacking or data theft in users' browsers
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the view_category.php page of SourceCodester Sales and Inventory System 1.0. An attacker can supply a specially crafted value for the limit parameter that is reflected back in the response without proper encoding, allowing the injection of arbitrary JavaScript or HTML. If executed in the victim’s browser, the script can steal session cookies, deface pages, or redirect users to malicious sites.

Affected Systems

The vulnerability affects SourceCodester Sales and Inventory System 1.0, specifically the view_category.php component that handles the limit query parameter. The CPE indicates version 1.0 of the application and no higher, patching of which should eliminate the flaw.

Risk and Exploitability

The CVSS score of 6.1 places this issue in the medium severity range, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is through a remotely crafted URL that supplies the malicious limit value to the vulnerable page.

Generated by OpenCVE AI on April 6, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate the limit parameter to allow only numeric values and reject all others
  • Encode all output that includes user‑supplied data using functions such as htmlspecialchars or a templating engine
  • Apply any vendor‑issued update or patch that addresses the reflected XSS flaw
  • If no update is available, restrict the limit parameter to a safe, predefined range of values
  • Perform manual or automated testing to verify that the XSS vector is no longer present

Generated by OpenCVE AI on April 6, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Limit Parameter in SourceCodester Sales and Inventory System 1.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Limit Parameter in SourceCodester Sales and Inventory System 1.0

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Limit Parameter in SourceCodester Inventory System 1.0

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
CPEs cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*
Vendors & Products Ahsanriaz26gmailcom
Ahsanriaz26gmailcom inventory System
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester inventory System
Vendors & Products Sourcecodester
Sourcecodester inventory System

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting via Limit Parameter in SourceCodester Inventory System 1.0
Weaknesses CWE-79

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
References

Subscriptions

Ahsanriaz26gmailcom Inventory System
Sourcecodester Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:47:23.171Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30571

cve-icon Vulnrichment

Updated: 2026-03-31T16:11:42.873Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T17:16:28.710

Modified: 2026-04-06T14:16:25.273

Link: CVE-2026-30571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:51Z

Weaknesses