This vulnerability is a reflected XSS in SourceCodester Sales and Inventory System 1.0, specifically in the add_sales.php file's "msg" parameter. The application fails to sanitize input, enabling injection of arbitrary scripts or HTML via crafted URLs. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity with no impact on availability.

Successful exploitation allows remote attackers to execute arbitrary scripts in the context of the affected application, potentially leading to information disclosure and integrity issues. There is no direct impact on system availability. No known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider implementing input validation or output encoding on the "msg" parameter to mitigate reflected XSS risks. Monitor vendor channels for updates or official fixes.