{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30569", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:34:01.869Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:34:01.869Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewStockAvailability-limit.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ahsanriaz26gmailcom:inventory_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4A61A9C-F969-4CD2-8A33-1A36DFFDEB8E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "id": "CVE-2026-30569", "lastModified": "2026-03-30T17:19:46.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T17:16:28.483", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewStockAvailability-limit.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "inventory_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-27T18:24:42.137495+00:00", "value": {"mitigation_remediation": ["Check for an official patch or update for SourceCodester Inventory System 1.0"], "summary": {"action": "Patch if available", "impact": "Cross\u2011site scripting via unsanitized limit parameter"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SourceCodester Inventory System version 1.0. No other vendors or products are listed as impacted.", "description_and_impact": "A reflected cross\u2011site scripting flaw exists in the view_stock_availability.php component of the inventory management application. An attacker can supply a specially crafted limit value in the request URL, causing the application to echo the value back to the browser without any encoding or validation. The injected payload can execute arbitrary JavaScript in the context of any user who visits the URL, potentially stealing session cookies, defacing the site, or facilitating further attacks against authenticated users.", "risk_and_exploitability": "The fault relies solely on external input and requires no authentication, making it reachable over the public network. The CVSS score is not provided in the data, and no EPSS indication is available, so the exact probability of exploitation remains unclear. Because the attack vector is remote and the impact involves client\u2011side code execution, organizations should treat this flaw as high risk unless mitigated by a patch or a proper input\u2011sanitization measure. The vulnerability is not recorded in the CISA KEV list, suggesting no known public exploits yet."}}}}, "created": "2026-03-27T20:25:56.337405+00:00", "title": "Reflected XSS via limit Parameter in Inventory System", "updated": "2026-03-30T08:00:07.835776+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$inventory_system"], "weaknesses": ["CWE-79"]}