CVE-2026-30556

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*

History

01 Apr 2026, 15:42

Type Values Removed Values Added
References () https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-Index-msg.md - () https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-Index-msg.md - Exploit, Third Party Advisory
First Time Ahsanriaz26gmailcom
Ahsanriaz26gmailcom sales And Inventory System
CPE cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*

31 Mar 2026, 18:16

Type Values Removed Values Added
CWE CWE-79
References () https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-Index-msg.md - () https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-Index-msg.md -
Summary
  • (es) Una vulnerabilidad de cross-site scripting (XSS) reflejado existe en SourceCodester Sales and Inventory System 1.0. La vulnerabilidad se encuentra en el archivo index.php a través del parámetro 'msg'. La aplicación no logra sanear la entrada, permitiendo a atacantes remotos inyectar scripts web o HTML arbitrarios a través de una URL manipulada.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1

30 Mar 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-03-30 16:16

Updated : 2026-06-17 10:32


NVD link : CVE-2026-30556

Mitre link : CVE-2026-30556

CVE.ORG link : CVE-2026-30556


JSON object : View

Products Affected

ahsanriaz26gmailcom

  • sales_and_inventory_system
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')