CVE-2026-30562 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System version 1.0. The flaw exists in the add_stock.php script, specifically through the 'msg' parameter, which fails to properly sanitize or encode user-supplied input. This allows remote attackers to craft URLs containing malicious JavaScript or HTML code that, when visited by a victim, executes in the context of the vulnerable web application. Reflected XSS vulnerabilities are typically exploited by tricking users into clicking malicious links, leading to execution of arbitrary scripts that can steal session cookies, perform actions on behalf of the user, or redirect users to phishing or malware sites. The vulnerability does not require authentication, increasing its risk profile. Although no public exploits have been reported, the vulnerability is publicly disclosed and thus potentially exploitable. The absence of a CVSS score requires an assessment based on impact and exploitability factors. The vulnerability affects all deployments of SourceCodester Sales and Inventory System 1.0 that have not implemented input validation or output encoding on the 'msg' parameter. Mitigation requires applying patches if available or implementing strict input validation and output encoding to neutralize malicious payloads. Organizations relying on this system should conduct code reviews and penetration testing to identify and remediate this and similar vulnerabilities.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data. Attackers exploiting this reflected XSS can hijack user sessions, steal sensitive information such as authentication tokens, or manipulate the web interface to perform unauthorized actions. This can lead to unauthorized access, data leakage, or reputational damage for organizations. Additionally, users may be redirected to malicious websites, increasing the risk of malware infections or phishing attacks. Since the vulnerability does not require authentication and can be triggered via a crafted URL, it poses a significant risk to all users interacting with the vulnerable system. The availability impact is generally low unless combined with other vulnerabilities. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Organizations using the affected software, particularly those managing inventory and sales data, face risks of operational disruption and data compromise.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates released by the vendor for SourceCodester Sales and Inventory System 1.0. In the absence of patches, implement strict input validation on the 'msg' parameter to reject or sanitize any input containing HTML or JavaScript code. Employ output encoding techniques such as HTML entity encoding before reflecting user input back to the browser to prevent script execution. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Conduct regular security assessments and penetration tests focusing on input validation and XSS vulnerabilities. Educate users to avoid clicking suspicious links and implement web application firewalls (WAFs) that can detect and block XSS attack patterns. Additionally, review and harden session management to minimize the impact of potential session hijacking. Logging and monitoring for unusual web requests targeting the 'msg' parameter can help detect exploitation attempts early.