Description
A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the category.php file of SourceCodester Indian Invoicing System that allows an attacker to inject arbitrary script into the msg argument, which is rendered in the browser without proper escaping. This unchecked input leads to a classic cross‑site scripting flaw that can compromise the confidentiality, integrity, or availability of a victim’s session and may be used to hijack accounts, steal credentials, or deface the site.

Affected Systems

SourceCodester: Indian Invoicing System version 1.0. The flaw is triggered by manipulating the msg parameter in the category.php script; no other product variants or versions were identified in the supplied information.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The description notes that the attack can be initiated and that the exploit is publicly available, meaning that attackers can craft URLs or input payloads to trigger the XSS in any exposed instance of the affected system.

Generated by OpenCVE AI on May 25, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of SourceCodester Indian Invoicing System that contains a fix for the XSS flaw.
  • If a patch is not yet released, edit category.php to escape the msg argument before output, for example using PHP’s htmlspecialchars with the proper flags, or apply a context‑specific output filter.
  • Deploy a web application firewall or input validator that blocks or sanitizes malicious script content in the msg parameter, restricting input to a whitelist of allowed characters.

Generated by OpenCVE AI on May 25, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title SourceCodester Indian Invoicing System category.php cross site scripting
First Time appeared Sourcecodester
Sourcecodester indian Invoicing System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:sourcecodester:indian_invoicing_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester indian Invoicing System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Indian Invoicing System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T01:15:10.056Z

Reserved: 2026-05-24T06:38:34.189Z

Link: CVE-2026-9413

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T02:30:14Z

Weaknesses