CVE-2026-30559
Received Received - Intake
Reflected XSS in SourceCodester Sales Inventory add_sales.php

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: MITRE

Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30559
EUVD
EUVD-2026-17098
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ahsanriaz26gmailcom sales_and_inventory_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30559 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the add_sales.php file.

The vulnerability occurs because the application accepts a "msg" parameter via a GET request and reflects its value back to the user without proper input sanitization or encoding.

This flaw allows remote attackers to inject and execute arbitrary JavaScript code in the context of authenticated users by crafting a malicious URL containing a payload in the "msg" parameter.

Impact Analysis

An attacker can exploit this vulnerability by sending a crafted URL to an authenticated administrator.

When the administrator visits the malicious URL, the injected script executes, which can lead to stealing session cookies and hijacking the administrator's session.

This can result in unauthorized actions, privilege escalation, and potentially full compromise of the administrator's control over the system.

Detection Guidance

This vulnerability can be detected by testing the add_sales.php page with a crafted URL containing a malicious payload in the "msg" parameter. For example, injecting a payload like `<img src="x" onerror="alert(808774)">` into the msg parameter and observing if the script executes indicates the presence of the vulnerability.

To detect this on your system, you can use tools like curl or a web browser to send a GET request with the payload and check if the script executes or is reflected unsanitized.

  • curl -i "http://your-inventory-system/add_sales.php?msg=<img src='x' onerror='alert(808774)'>"
  • Use a browser to log in as an administrator and visit the URL with the crafted payload in the msg parameter to see if an alert box appears.
Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding all user inputs, especially the "msg" parameter in add_sales.php, to prevent execution of injected scripts.

Additionally, restrict access to the vulnerable page to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious payloads.

If possible, update or patch the Inventory System to a version where this vulnerability is fixed.

Compliance Impact

The vulnerability allows remote attackers to execute arbitrary scripts in the context of authenticated administrators, potentially leading to session hijacking and unauthorized actions.

Such unauthorized access and control over administrative sessions can result in exposure or manipulation of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance by enabling attackers to bypass security controls and access or alter protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart