CVE-2026-30562
Reflected XSS in SourceCodester Sales Inventory add_stock.php
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30562 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0, specifically in the add_stock.php file.
The vulnerability occurs because the application does not properly sanitize the "msg" parameter received via a GET request. This parameter is reflected back to the user without validation, allowing an attacker to inject malicious JavaScript or HTML code.
An attacker can craft a malicious URL containing a payload that executes arbitrary scripts when an authenticated administrator accesses it. For example, a payload like `<img src="x" onerror="alert(808774)">` can trigger JavaScript execution in the administrator's browser.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if exploited by an attacker.
- Session hijacking: Attackers can steal administrator session cookies, gaining unauthorized access.
- Privilege escalation: Attackers can perform unauthorized actions with administrative privileges.
- Execution of arbitrary scripts in the context of an authenticated user, potentially leading to further compromise of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the add_stock.php page with a crafted URL that injects a script into the "msg" parameter and observing if the script executes.
For example, you can use a web browser or command-line tools like curl to send a GET request with a payload such as:
- curl "http://<target-ip>:<port>/add_stock.php?msg=%3Cimg%20src=%22x%22%20onerror=%22alert(808774)%22%3E"
If the response page executes the injected JavaScript (e.g., showing an alert box), it confirms the presence of the reflected XSS vulnerability.
Note that the victim must be an authenticated administrator for the attack to succeed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary scripts in the context of an authenticated administrator, potentially leading to session hijacking and privilege escalation.
Such unauthorized access and control over administrative functions could result in unauthorized disclosure or modification of sensitive data.
This may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Reflected Cross-Site Scripting (XSS) vulnerability in the add_stock.php file of SourceCodester Sales and Inventory System 1.0, immediate steps include sanitizing and validating the "msg" parameter to prevent injection of malicious scripts.
Additionally, avoid clicking on or opening suspicious URLs containing crafted payloads, especially for authenticated administrator accounts.
Restrict access to the vulnerable page to trusted users only and consider implementing web application firewall (WAF) rules to detect and block malicious input patterns targeting the "msg" parameter.
If possible, update or patch the application to a version that addresses this vulnerability.