CVE-2026-30557 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System version 1.0. The vulnerability exists in the add_category.php script, specifically through the 'msg' parameter, which fails to properly sanitize or encode user-supplied input. This flaw allows an attacker to craft a URL containing malicious JavaScript or HTML code that, when visited by a victim, executes in the victim’s browser within the context of the vulnerable web application. Reflected XSS attacks typically require social engineering to lure victims to click on malicious links. The absence of input validation and output encoding in this parameter exposes users to risks such as session hijacking, cookie theft, unauthorized actions, or website defacement. Although no exploits have been reported in the wild, the vulnerability is publicly disclosed and could be targeted by attackers. The lack of a CVSS score means severity must be assessed based on the vulnerability’s characteristics: it affects confidentiality and integrity, requires user interaction, and impacts a specific web application. The vulnerability highlights the importance of secure coding practices, particularly input sanitization and context-aware output encoding in web applications handling user input.

The primary impact of this vulnerability is the potential compromise of user sessions and sensitive information through the execution of malicious scripts in users’ browsers. Attackers can steal authentication cookies, perform actions on behalf of users, or redirect users to malicious sites. For organizations, this can lead to unauthorized access, data breaches, reputational damage, and loss of customer trust. Since the vulnerability is in a sales and inventory system, attackers might also manipulate displayed data or inject misleading information, potentially disrupting business operations. However, the requirement for user interaction (clicking a crafted URL) limits the attack scope. The absence of known exploits reduces immediate risk but does not eliminate future exploitation potential. Organizations relying on this software or similar vulnerable web applications should consider the threat significant enough to warrant prompt remediation to avoid exploitation and downstream impacts.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially parameters like 'msg' in add_category.php. Employ context-aware encoding libraries to ensure that injected scripts cannot execute in the browser context. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly update and patch the SourceCodester Sales and Inventory System when vendor fixes become available. In the absence of official patches, consider applying web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'msg' parameter. Educate users about the risks of clicking untrusted links to reduce the likelihood of successful social engineering. Conduct security code reviews and penetration testing to identify and remediate similar vulnerabilities proactively. Finally, monitor logs for unusual activity that may indicate attempted exploitation.