CVE-2026-30563 identifies a stored Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System version 1.0. The flaw exists in the update_details.php script, where the 'website' parameter from POST requests is not properly sanitized or validated before being stored in the backend database. This allows an authenticated attacker to inject arbitrary JavaScript or HTML code that persists in the database and executes in the context of any user who accesses the store details page. Stored XSS is particularly dangerous because the malicious payload is served to multiple users without requiring repeated exploitation. The vulnerability requires the attacker to have valid credentials, but no further user interaction is needed beyond visiting the compromised page. The lack of input sanitization and output encoding violates secure coding best practices, enabling attackers to steal session cookies, perform actions on behalf of other users, or deliver malware. Although no public exploits or patches are currently available, the vulnerability is publicly disclosed and should be addressed promptly. The absence of a CVSS score necessitates a severity assessment based on the impact and exploitability factors.

The impact of this vulnerability is significant for organizations using the affected SourceCodester Sales and Inventory System. Successful exploitation can lead to unauthorized access to user sessions, theft of sensitive information, defacement of web pages, and potential pivoting to more severe attacks such as privilege escalation or data exfiltration. Since the malicious script executes in the context of authenticated users, it can compromise the confidentiality and integrity of user data and the application environment. The availability impact is generally low but could be indirectly affected if attackers disrupt normal operations through injected scripts. Organizations relying on this system for inventory and sales management may face operational disruptions, reputational damage, and compliance risks if customer or business data is compromised. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak access controls or insider threats.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding for all user-supplied data, especially the 'website' parameter in update_details.php. Employing a whitelist approach for acceptable input formats (e.g., validating URLs against a regex pattern) can prevent malicious script injection. Use security libraries or frameworks that automatically handle encoding to prevent XSS. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regularly update and patch the SourceCodester Sales and Inventory System once vendor fixes become available. Conduct thorough code reviews and security testing focusing on input handling and stored data rendering. Enforce strong authentication and session management controls to limit attacker capabilities. Finally, educate users to recognize suspicious behavior and monitor logs for unusual activities related to the store details page.