PatchSiren cyber security CVE debrief
CVE-2026-9414 SourceCodester CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Indian Invoicing System up to version 1.0. The flaw resides in the `customer_name` parameter of `/Invoicing/add_order.php`, allowing remote attackers to inject malicious scripts that execute in the context of authenticated users. The vulnerability has been publicly disclosed with proof-of-concept material available. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required for initial access, but requires user interaction for exploitation, with low integrity impact. The vulnerability is classified as LOW severity with a base score of 2.0. No known active exploitation or ransomware campaign use has been documented. The vendor attribution remains unconfirmed with low confidence, derived from reference domain analysis.
- Vendor
- SourceCodester
- Product
- Indian Invoicing System
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations operating SourceCodester Indian Invoicing System versions up to 1.0; security teams managing PHP-based invoicing applications; developers responsible for input validation in database-backed template rendering systems
Technical summary
The vulnerability exists in the Invoice Template Render Database-Backed component of SourceCodester Indian Invoicing System. The `customer_name` parameter in `/Invoicing/add_order.php` fails to properly sanitize user input before storing and rendering it in invoice templates. This stored XSS flaw allows attackers with network access to inject malicious scripts that execute when authenticated users view affected invoices. The attack requires user interaction (victim must view the crafted invoice) and provides low integrity impact. The exploit has been publicly released, increasing the risk of opportunistic attacks against unpatched instances.
Defensive priority
LOW
Recommended defensive actions
- Implement strict input validation and sanitization for the customer_name parameter in add_order.php, applying context-appropriate encoding (HTML entity encoding) before rendering in invoice templates
- Apply Content Security Policy (CSP) headers to restrict script execution sources and mitigate impact of injected payloads
- Conduct code review of all database-backed template rendering functions to identify similar injection points
- Monitor for unauthorized access attempts to /Invoicing/add_order.php and anomalous invoice record modifications
- Review and update web application firewall rules to detect and block common XSS payload patterns in customer data fields
- Verify vendor attribution and obtain official patch from SourceCodester when available; consider temporary input filtering at application gateway if vendor patch is delayed
Evidence notes
Vulnerability identified through Vuldb submission (ID 813610). CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) classified as primary weakness types. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. NVD status: Deferred.
Official resources
Public disclosure occurred on 2026-05-25 with subsequent modification on 2026-05-26. Proof-of-concept material has been released publicly.