CVE-2026-30560
Reflected XSS in SourceCodester Sales Inventory add_supplier.php
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30560 is a Reflected Cross-Site Scripting (XSS) vulnerability found in SourceCodester Sales and Inventory System version 1.0, specifically in the add_supplier.php file via the "msg" parameter.
The vulnerability occurs because the application does not properly sanitize the input received through the "msg" parameter, which is reflected back to the user without validation.
This allows remote attackers to inject arbitrary web scripts or HTML by crafting a malicious URL that, when visited by an authenticated administrator, executes the injected script.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious JavaScript code in the context of an authenticated administrator's browser.
- Attackers can hijack administrator sessions by stealing session cookies.
- It may enable privilege escalation by allowing attackers to perform unauthorized actions within the system.
The attack requires the victim to be logged in as an administrator and to visit a crafted URL containing the malicious payload.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the add_supplier.php page with a crafted URL containing a malicious payload in the "msg" parameter. For example, an attacker can use a URL like: http://127.0.0.1:8089/add_supplier.php?msg=<img src="x" onerror="alert(808774)">. If the script executes (e.g., an alert box appears), the vulnerability is present.
To detect this on your system, you can use tools like curl or wget to send the crafted GET request and observe the response for reflected scripts.
- curl -i "http://your-target/add_supplier.php?msg=<img src='x' onerror='alert(808774)'>"
- Observe the response in a browser or intercept with a proxy to check if the injected script is reflected without sanitization.
Note that the victim must be an authenticated administrator for the attack to succeed, so testing should be done with appropriate credentials.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs, especially the "msg" parameter in add_supplier.php, to prevent injection of malicious scripts.
Additionally, restrict access to the add_supplier.php page to only trusted and authenticated administrators.
As a temporary workaround, avoid clicking on suspicious or untrusted URLs containing parameters that reflect user input.
Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to inject malicious scripts that can lead to session hijacking and privilege escalation by stealing administrator session cookies.
Such unauthorized access and potential data breaches could impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure user authentication.
Failure to prevent this reflected XSS vulnerability may result in unauthorized disclosure or manipulation of personal or sensitive information, thereby violating these regulations.