CVE-2026-30561 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System version 1.0. The vulnerability exists in the add_purchase.php script, specifically through the 'msg' parameter, which fails to properly sanitize or encode user-supplied input. This flaw allows remote attackers to craft malicious URLs containing arbitrary JavaScript or HTML code that, when accessed by a victim, executes in the context of the victim's browser. Reflected XSS attacks typically require the victim to click a malicious link, which then reflects the injected script back in the HTTP response. The lack of input validation and output encoding in this parameter means that attackers can exploit this to perform actions such as session hijacking, stealing cookies, redirecting users to malicious sites, or defacing web content. Although no public exploits have been reported yet, the vulnerability is straightforward to exploit given its reflected nature and does not require authentication, increasing its risk profile. The absence of a CVSS score necessitates an assessment based on the vulnerability's characteristics, which indicate a moderate threat level. The vulnerability affects all installations of SourceCodester Sales and Inventory System 1.0 that have not implemented custom input sanitization or patches. Since the vulnerability is in a widely used inventory management system, it could impact numerous small and medium-sized businesses that rely on this software for daily operations.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate legitimate users and gain unauthorized access to sensitive information or functionality within the application. It can also facilitate phishing attacks by redirecting users to malicious websites or displaying deceptive content. While the vulnerability does not directly affect system availability, the resulting compromise could lead to broader attacks or data breaches. Organizations using the affected software risk reputational damage, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. The ease of exploitation without authentication and the potential for widespread impact on small and medium enterprises make this a significant concern. However, the requirement for user interaction (clicking a crafted link) somewhat limits the scope compared to fully automated exploits.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'msg' parameter in add_purchase.php. Specifically, all user-supplied input should be sanitized to remove or encode HTML special characters before reflecting them in the response. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting the execution of unauthorized scripts. If a patch from the vendor is unavailable, applying web application firewall (WAF) rules to detect and block malicious payloads targeting the 'msg' parameter can provide interim protection. Additionally, educating users about the risks of clicking unsolicited links and monitoring logs for suspicious URL access patterns can help detect exploitation attempts. Regularly updating the software and applying security best practices for web applications will further reduce exposure. Finally, organizations should consider migrating to updated or alternative inventory management solutions that follow secure coding standards.