CVE-2026-30564 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System version 1.0. The vulnerability resides in the view_payments.php script, specifically in the handling of the 'limit' parameter. This parameter is not properly sanitized or encoded before being reflected in the web page output, enabling an attacker to inject arbitrary HTML or JavaScript code via a crafted URL. When a victim clicks such a URL, the malicious script executes in the context of the victim's browser, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious websites. The vulnerability is remotely exploitable without requiring authentication or user interaction beyond visiting the malicious link. Although no exploits have been reported in the wild and no patches are currently available, the presence of this vulnerability in a sales and inventory system poses risks to data confidentiality and integrity. The lack of input validation and output encoding in the affected parameter is a common web application security flaw that can be mitigated by proper coding practices and security controls such as Content Security Policy (CSP) and Web Application Firewalls (WAFs).

The impact of this reflected XSS vulnerability is significant for organizations using the affected SourceCodester Sales and Inventory System 1.0. Attackers can exploit this flaw to execute arbitrary scripts in users' browsers, leading to session hijacking, theft of sensitive information such as credentials or payment data, and unauthorized actions within the application. This can result in data breaches, financial loss, and reputational damage. Since the vulnerability is in a sales and inventory system, it may affect business operations and customer trust. The ease of exploitation without authentication increases the risk, especially if users are tricked into clicking malicious links via phishing or social engineering. Although availability impact is limited, the compromise of confidentiality and integrity can have cascading effects on business processes and compliance with data protection regulations.

To mitigate this vulnerability, organizations should immediately implement input validation and output encoding for the 'limit' parameter in the view_payments.php file to ensure that any user-supplied data is properly sanitized before being reflected in the web page. Employing a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts. Deploying a Web Application Firewall (WAF) with rules to detect and block reflected XSS attacks can provide an additional layer of defense. Educate users to avoid clicking suspicious links and implement monitoring to detect anomalous activities related to this vulnerability. Since no official patch is available, consider isolating or restricting access to the affected system until remediation is possible. Regularly review and update the software to newer, secure versions when released by the vendor or community.