CVE-2026-30561 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: April 1, 2026
SourceCodester Sales and Inventory System - Reflected XSS
Published: March 30, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable
Overview
SourceCodester Sales and Inventory System 1.0 contains a reflected XSS caused by unsanitized input in the "msg" parameter of add_purchase.php, letting remote attackers inject arbitrary web scripts via crafted URL.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Remote attackers can execute arbitrary scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.
Mitigation
Update to the latest version with proper input sanitization.
References
Related Resources
Details
- CVE ID
- CVE-2026-30561
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- reflected_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N