Description
A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the file /delete.php of the component GET Parameter Handler. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-04-08
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Cross-site scripting
Action: Immediate Patch
AI Analysis

Impact

A flaw in SourceCodester Sales and Inventory System 1.0 allows an attacker to inject malicious script via the ID parameter in /delete.php. The injected script executes in the victim’s browser, enabling actions such as session hijacking, data theft, or defacement. This is a classic client‑side injection weakness identified as CWE‑79, also involving CWE‑94 for unsafe code execution.

Affected Systems

The affected product is SourceCodester Sales and Inventory System version 1.0. No other versions or vendors were listed.

Risk and Exploitability

The CVSS base score is 5.1, indicating a moderate severity. Exploitability scores are not available and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be remote via a crafted GET request to /delete.php with a malicious ID value. An attacker who can persuade a user to visit the URL or modify existing URLs can achieve arbitrary script execution within the context of the application.

Generated by OpenCVE AI on April 8, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or upgrade to a later version that resolves the ID sanitization issue.
  • If a patch is unavailable, ensure that the ID parameter is validated and sanitized on input, e.g., by using an allowlist or escaping output before rendering.
  • Restrict the /delete.php endpoint to authenticated and authorized users only, and enforce proper permission checks.
  • Deploy a web application firewall or filter that rejects payloads containing script tags or suspicious characters in query parameters.
  • Perform a security audit or penetration test against the delete endpoint to confirm that the vulnerability has been eliminated.

Generated by OpenCVE AI on April 8, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester sales And Inventory System
Vendors & Products Sourcecodester
Sourcecodester sales And Inventory System

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the file /delete.php of the component GET Parameter Handler. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title SourceCodester Sales and Inventory System GET Parameter delete.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Sales And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-08T22:00:17.660Z

Reserved: 2026-04-08T15:13:31.519Z

Link: CVE-2026-5810

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:25.067

Modified: 2026-04-08T22:16:25.067

Link: CVE-2026-5810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:46Z

Weaknesses