CVE-2026-30559
Received Received - Intake

Reflected XSS in SourceCodester Sales Inventory add_sales.php

Vulnerability report for CVE-2026-30559, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: MITRE

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-07-06
AI Q&A
2026-03-30
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ahsanriaz26gmailcom sales_and_inventory_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-30559 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the add_sales.php file.

The vulnerability occurs because the application accepts a "msg" parameter via a GET request and reflects its value back to the user without proper input sanitization or encoding.

This flaw allows remote attackers to inject and execute arbitrary JavaScript code in the context of authenticated users by crafting a malicious URL containing a payload in the "msg" parameter.

Impact Analysis

An attacker can exploit this vulnerability by sending a crafted URL to an authenticated administrator.

When the administrator visits the malicious URL, the injected script executes, which can lead to stealing session cookies and hijacking the administrator's session.

This can result in unauthorized actions, privilege escalation, and potentially full compromise of the administrator's control over the system.

Detection Guidance

This vulnerability can be detected by testing the add_sales.php page with a crafted URL containing a malicious payload in the "msg" parameter. For example, injecting a payload like `<img src="x" onerror="alert(808774)">` into the msg parameter and observing if the script executes indicates the presence of the vulnerability.

To detect this on your system, you can use tools like curl or a web browser to send a GET request with the payload and check if the script executes or is reflected unsanitized.

  • curl -i "http://your-inventory-system/add_sales.php?msg=<img src='x' onerror='alert(808774)'>"
  • Use a browser to log in as an administrator and visit the URL with the crafted payload in the msg parameter to see if an alert box appears.
Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding all user inputs, especially the "msg" parameter in add_sales.php, to prevent execution of injected scripts.

Additionally, restrict access to the vulnerable page to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious payloads.

If possible, update or patch the Inventory System to a version where this vulnerability is fixed.

Compliance Impact

The vulnerability allows remote attackers to execute arbitrary scripts in the context of authenticated administrators, potentially leading to session hijacking and unauthorized actions.

Such unauthorized access and control over administrative sessions can result in exposure or manipulation of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance by enabling attackers to bypass security controls and access or alter protected data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart