CVE-2026-30566
Reflected XSS in SourceCodester Sales Inventory System Limits Parameter
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ahsanriaz26gmailcom | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript in the context of authenticated administrator sessions, potentially leading to session hijacking and unauthorized actions.
Such unauthorized access and manipulation of sensitive data could result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, this vulnerability may negatively impact compliance with these standards by exposing systems to risks of data breaches and unauthorized data handling.
Can you explain this vulnerability to me?
CVE-2026-30566 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Sales and Inventory System version 1.0. It exists in the view_customers.php file through the "limit" parameter, which is used for pagination control.
The vulnerability occurs because the application does not properly sanitize the input passed via the "limit" parameter. This allows remote attackers to inject arbitrary web scripts or HTML by crafting a malicious URL.
When an authenticated user, typically an administrator, visits the malicious URL, the injected script executes in their browser context. This can lead to actions such as session hijacking or unauthorized operations performed with the administrator's privileges.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if exploited. Since the malicious script runs in the context of an authenticated administrator, an attacker can hijack the administrator's session by stealing session cookies.
Additionally, the attacker can perform unauthorized actions on the system with the administrator's privileges, potentially leading to privilege escalation and manipulation of the inventory system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "limit" parameter in the view_customers.php page of the Inventory System 1.0 for reflected Cross-Site Scripting (XSS). An effective method is to craft a URL with a malicious payload in the "limit" GET parameter and observe if the script executes when accessed by an authenticated administrator.
- Use a web browser or a tool like curl or wget to send a request with a payload such as: view_customers.php?limit=\"><script>alert(15623);</script>
- Example curl command: curl -i "http://target/view_customers.php?limit=\"><script>alert(15623);</script>" --cookie "session=your_admin_session_cookie"
- Observe the response in the browser or the HTTP response for execution or reflection of the injected script, which confirms the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the "limit" parameter input on the server side to prevent injection of malicious scripts.
Additionally, restrict access to the vulnerable page to only trusted administrators and consider applying web application firewall (WAF) rules to detect and block malicious payloads targeting the "limit" parameter.
If possible, update or patch the Inventory System to a version where this vulnerability is fixed.