CVE-2026-30559
Reflected XSS in SourceCodester Sales Inventory add_sales.php
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30559 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the add_sales.php file.
The vulnerability occurs because the application accepts a "msg" parameter via a GET request and reflects its value back to the user without proper input sanitization or encoding.
This flaw allows remote attackers to inject and execute arbitrary JavaScript code in the context of authenticated users by crafting a malicious URL containing a payload in the "msg" parameter.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by sending a crafted URL to an authenticated administrator.
When the administrator visits the malicious URL, the injected script executes, which can lead to stealing session cookies and hijacking the administrator's session.
This can result in unauthorized actions, privilege escalation, and potentially full compromise of the administrator's control over the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the add_sales.php page with a crafted URL containing a malicious payload in the "msg" parameter. For example, injecting a payload like `<img src="x" onerror="alert(808774)">` into the msg parameter and observing if the script executes indicates the presence of the vulnerability.
To detect this on your system, you can use tools like curl or a web browser to send a GET request with the payload and check if the script executes or is reflected unsanitized.
- curl -i "http://your-inventory-system/add_sales.php?msg=<img src='x' onerror='alert(808774)'>"
- Use a browser to log in as an administrator and visit the URL with the crafted payload in the msg parameter to see if an alert box appears.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and encoding all user inputs, especially the "msg" parameter in add_sales.php, to prevent execution of injected scripts.
Additionally, restrict access to the vulnerable page to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious payloads.
If possible, update or patch the Inventory System to a version where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary scripts in the context of authenticated administrators, potentially leading to session hijacking and unauthorized actions.
Such unauthorized access and control over administrative sessions can result in exposure or manipulation of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and sensitive information.
Therefore, this vulnerability could negatively impact compliance by enabling attackers to bypass security controls and access or alter protected data.