{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30567", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:32:50.326Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:32:50.326Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewProduct-limit.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "id": "CVE-2026-30567", "lastModified": "2026-03-30T15:16:26.963", "metrics": {}, "published": "2026-03-27T18:16:05.083", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewProduct-limit.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "inventory_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-27T20:06:43.414266+00:00", "value": {"mitigation_remediation": ["Apply an updated version of the view_product.php file that properly validates or sanitizes the \u2018limit\u2019 parameter or apply a vendor patch if available.", "Encode all user\u2011controlled data before rendering it in HTML contexts, for example using htmlspecialchars() with ENT_QUOTES and UTF-8.", "Verify the fix by testing the view_product.php endpoint with benign and malicious inputs."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011site scripting allows execution of arbitrary scripts in a victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "The affected product is the SourceCodester Inventory System, version\u00a01.0, implemented in PHP. The flaw resides in the view_product.php script that processes the \u2018limit\u2019 parameter. No other versions or deployments are documented as vulnerable in the provided material.", "description_and_impact": "A reflected cross\u2011site scripting vulnerability exists in the SourceCodester Inventory System 1.0, located in the view_product.php file via the \u2018limit\u2019 query parameter. The application fails to sanitize the input, allowing a remote attacker to construct a URL that injects malicious JavaScript or HTML. When a user opens the crafted link, the injected code runs in the context of the website, which could lead to defacement, credential theft, or session hijacking.", "risk_and_exploitability": "The flaw allows remote exploitation without authentication. Any user who clicks the malicious link is at risk, as the attacker can inject arbitrary client\u2011side code. Although no CVSS score is supplied, reflected XSS vulnerabilities are typically considered high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the potential for widespread exploitation remains because the trigger requires only a visit to a crafted URL."}}}}, "created": "2026-03-27T20:25:52.192384+00:00", "title": "Reflected Cross\u2011Site Scripting via Unvalidated \u2018limit\u2019 Parameter in Inventory System", "updated": "2026-03-30T08:00:12.054982+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$inventory_system"], "weaknesses": ["CWE-79"]}