CVE-2026-30562
Published: 30 March 2026
Summary
CVE-2026-30562 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ahsanriaz26Gmailcom Sales And Inventory System. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-30562 is a reflected cross-site scripting (XSS) vulnerability in SourceCodester Sales and Inventory System 1.0, published on 2026-03-30. The flaw resides in the add_stock.php file, where the "msg" parameter lacks proper input sanitization. This allows remote attackers to inject arbitrary web scripts or HTML through a crafted URL, as classified under CWE-79 with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
Attackers require no privileges and can exploit this over the network with low complexity by tricking authenticated users into visiting a malicious URL, such as via phishing or social engineering. Successful exploitation executes injected scripts in the victim's browser context within the application's scope, potentially leading to high-impact confidentiality and integrity violations, including session hijacking, data theft, or unauthorized actions on the victim's behalf due to the changed scope.
A proof-of-concept is available at https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-AddStock-msg.md, demonstrating the vulnerability, though no official advisories or patches are referenced in available details.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17101
Vulnerability details
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_stock.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web…
more
script or HTML via a crafted URL.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing web app (add_stock.php) directly enables remote exploitation of T1190; script execution in victim browser context enables session hijacking per T1185.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the core issue by requiring validation and sanitization of untrusted inputs like the 'msg' parameter in add_stock.php to block malicious script injection.
SI-15 prevents reflected XSS by filtering and encoding output containing the unsanitized 'msg' parameter before it is rendered in the victim's browser.
SI-2 mandates identification, reporting, and correction of the specific coding flaw lacking input sanitization in add_stock.php, preventing exploitation.