{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30568", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:34:54.423Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:34:54.423Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewPurchase-limit.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewPurchase-limit.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T21:59:05.337517Z", "id": "CVE-2026-30568", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T21:59:29.854Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30568", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T21:59:05.337517Z"}}}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewPurchase-limit.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T21:59:25.293Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewPurchase-limit.md"}], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:34:54.423Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30568", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:34:54.423Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4A61A9C-F969-4CD2-8A33-1A36DFFDEB8E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "id": "CVE-2026-30568", "lastModified": "2026-03-30T17:18:38.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-27T18:16:05.190", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewPurchase-limit.md"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewPurchase-limit.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "inventory_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-28T05:37:32.211028+00:00", "value": {"mitigation_remediation": ["Sanitize the 'limit' input and escape output before rendering it in the browser", "Implement a Content Security Policy to limit script execution", "Test the application for additional reflected XSS points and remediate as needed", "Keep the application and its components up to date with security patches as they become available"], "summary": {"action": "Apply Filters", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability in SourceCodester Inventory System version 1.0, specifically affecting the view_purchase.php component. No additional affected product versions are listed.", "description_and_impact": "A reflected cross\u2011site scripting flaw in the view_purchase.php file allows a remote attacker to inject and execute arbitrary HTML or JavaScript in a victim's browser via a specially crafted 'limit' parameter. The input is not sanitized, so any script embedded in the URL will run when the unsuspecting user loads the page, potentially stealing session cookies, credentials, or defacing the site. This vulnerability aligns with CWE-79 and enables attackers to compromise confidentiality and integrity of user data within the context of the application.", "risk_and_exploitability": "The CVSS base score of 4.8 indicates moderate risk, and the lack of an EPSS score prevents an accurate prediction of exploitation likelihood. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit it from any external source by visiting a crafted URL containing the malicious 'limit' parameter. No special privileges or authentication are required, making the vector broad and easy to launch from a browser."}}}}, "created": "2026-03-27T20:25:50.975916+00:00", "updated": "2026-03-30T08:00:09.849715+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$inventory_system"]}