{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30570", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:35:46.021Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:35:46.021Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewSales-limit.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL"}], "id": "CVE-2026-30570", "lastModified": "2026-03-30T15:16:27.480", "metrics": {}, "published": "2026-03-27T17:16:28.597", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewSales-limit.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "inventory_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-27T18:51:28.336808+00:00", "value": {"mitigation_remediation": ["Check for and apply any vendor\u2011issued updates for SourceCodester Inventory System 1.0.", "Validate and encode all user-supplied values for the limit parameter so no script or HTML can be reflected.", "Implement a Content Security Policy that restricts executable scripts to trusted sources."], "summary": {"action": "Apply Patch", "impact": "Remote Script Execution via Web Browser"}, "threat_synthesis": {"affected_systems": "SourceCodester Inventory System 1.0 contains the affected code in its view_sales.php file. Deployments of this version that expose the limit parameter are susceptible; any user who accesses the view_sales page with a crafted limit query will face the risk.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw that occurs in the Inventory System\u2019s view_sales.php page. The application accepts a \"limit\" query parameter but does not sanitize its value, allowing an attacker to embed arbitrary JavaScript or HTML into a crafted URL. When a victim navigates to the malicious link, the embedded code executes within the victim\u2019s browser, giving the attacker the ability to hijack sessions, deface the site, or perform other client\u2011side attacks.", "risk_and_exploitability": "Because the flaw is reflected and operates purely via a URL, it can be exploited remotely when a user clicks or otherwise loads the malicious link. The official reference indicates no KEV reporting, so the vulnerability has not yet been catalogued as a known exploited incident by CISA. EPSS data is unavailable, which does not preclude potential exploitation but does not indicate a high likelihood. The CVSS score is not provided, yet the ability to run arbitrary client\u2011side code represents a high impact on confidentiality and integrity for the victim\u2019s session."}}}}, "created": "2026-03-27T20:25:55.394183+00:00", "title": "Reflected XSS via limit parameter in Inventory System", "updated": "2026-03-30T08:00:06.716587+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$inventory_system"], "weaknesses": ["CWE-79"]}