CVE-2026-11518
Received Received - Intake
Cross-Site Scripting in SourceCodester Inventory System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11518
EUVD
EUVD-2026-35068
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester inventory_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11518 is a Stored Cross-Site Scripting (XSS) vulnerability in SourceCodester Inventory System 1.0, specifically in the Staff Registration module (register.php). The vulnerability arises because the fullname and username input fields do not properly sanitize or encode user input before storing it in the database.

An attacker can inject malicious JavaScript code into these fields without authentication. When an administrator later views the User Management page (users.php), the malicious scripts are executed in the admin's browser, potentially compromising the admin's session and allowing unauthorized actions.

Compliance Impact

The vulnerability allows an attacker to execute malicious scripts in the administrator's browser session, potentially leading to session hijacking and unauthorized admin-level actions.

Such unauthorized access and manipulation of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Failure to properly sanitize and encode user inputs, as seen in this vulnerability, undermines the security controls necessary to maintain compliance with these standards.

Impact Analysis

This vulnerability can have serious impacts including the hijacking of the administrator's session, execution of malicious scripts within the admin panel, and unauthorized manipulation of inventory data.

  • Stealing the admin's session cookie to gain unauthorized access.
  • Redirecting the admin to phishing pages.
  • Performing admin-level actions silently without the administrator's knowledge.
Detection Guidance

This vulnerability can be detected by testing the Staff Registration module (register.php) for improper input sanitization in the fullname and username fields. Specifically, you can attempt to inject typical XSS payloads such as <script>alert(1)</script> into these fields and then check if the payload executes when viewing the User Management page (users.php).

To detect it on your system, you can use web application testing tools or manual curl commands to submit payloads and observe the response.

  • Example curl command to test injection: curl -X POST -d "fullname=<script>alert(1)</script>&username=testuser" http://targetsite/register.php
  • After submitting, visit the User Management page (users.php) as an admin to see if the script executes.

Additionally, automated scanners that detect stored XSS vulnerabilities can be used to identify this issue.

Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding all user inputs and outputs related to the fullname and username fields.

  • Apply output encoding using htmlspecialchars() with ENT_QUOTES in users.php before rendering user-supplied data in HTML.
  • Validate and sanitize all inputs on the server side in register.php to prevent malicious scripts from being stored.
  • Implement a Content Security Policy (CSP) header to reduce the impact of any potential XSS payload execution.

These steps will help prevent the injection and execution of malicious scripts, protecting admin sessions and data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart