CVE-2026-30557 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: April 1, 2026
SourceCodester Sales and Inventory System - Reflected XSS
Published: March 30, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable
Overview
SourceCodester Sales and Inventory System 1.0 contains a reflected XSS caused by unsanitized input in the "msg" parameter of add_category.php, letting remote attackers inject arbitrary web scripts via crafted URLs.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Remote attackers can execute arbitrary scripts in users' browsers, potentially stealing cookies or performing actions on behalf of users.
Mitigation
Update to the latest version with proper input sanitization or apply patches to sanitize the "msg" parameter.
References
Related Resources
Details
- CVE ID
- CVE-2026-30557
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- reflected_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N