PatchSiren cyber security CVE debrief
CVE-2026-30567 Ahsanriaz26gmailcom CVE debrief
CVE-2026-30567 is a reflected cross-site scripting (XSS) issue affecting SourceCodester Sales and Inventory System 1.0, with the vulnerable input reaching view_product.php through the "limit" parameter. According to the supplied NVD data, the issue is network-reachable, requires user interaction, and can let an attacker inject arbitrary web script or HTML into a victim's browser via a crafted URL. The NVD record classifies it as CWE-79 and scores it CVSS 3.1 6.1 (Medium).
- Vendor
- Ahsanriaz26gmailcom
- Product
- CVE-2026-30567
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-27
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-03-27
- Advisory updated
- 2026-05-10
Who should care
Administrators, developers, and security teams responsible for SourceCodester Sales and Inventory System 1.0 instances should treat this as a user-facing browser code-injection risk, especially if the application is exposed to untrusted links or used by authenticated users.
Technical summary
The supplied NVD metadata describes a reflected XSS in view_product.php triggered by the limit parameter. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating no privileges are needed, the attack is remotely deliverable, and a victim must interact with a crafted URL. NVD maps the weakness to CWE-79 and lists the vulnerable CPE as ahsanriaz26gmailcom:inventory_system:1.0. The supplied reference also points to a third-party PoC/advisory file, but this debrief does not reproduce exploit details.
Defensive priority
Medium. The issue is not known to be in CISA KEV from the supplied data, but reflected XSS can still affect session integrity, user trust, and downstream account activity when victims click malicious links.
Recommended defensive actions
- Apply a vendor fix or upgrade to a patched release if one is available; the supplied corpus does not provide a fixed version.
- Review view_product.php and any related code paths for reflected input handling, especially the limit parameter.
- Use server-side allowlisting for parameter values and strict output encoding before content is rendered in HTML.
- Add or tighten a Content Security Policy to reduce the impact of browser-executed injected script.
- Check whether other query parameters or views in the application reflect untrusted input without encoding.
- If the application is deployed with authenticated users, remind users not to follow untrusted links and consider session-hardening measures such as secure cookie settings.
Evidence notes
This debrief is based only on the supplied CVE/NVD fields and the linked reference metadata. The evidence supports a reflected XSS finding in view_product.php via the limit parameter, with CWE-79 and the listed CVSS vector. No exploit payloads or reproduction steps are included.
Official resources
-
CVE-2026-30567 CVE record
CVE.org
-
CVE-2026-30567 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Publicly disclosed in the CVE/NVD record on 2026-03-27 and last modified on 2026-05-10. No KEV listing is provided in the supplied data.