CVE-2026-30565 identifies a Reflected Cross-Site Scripting (XSS) vulnerability in the SourceCodester Sales and Inventory System version 1.0. The vulnerability resides in the 'limit' parameter of the view_supplier.php script, where user-supplied input is not properly sanitized or encoded before being reflected in the web page response. This flaw allows remote attackers to craft URLs containing malicious JavaScript or HTML code that executes in the context of the victim's browser when the URL is accessed. Reflected XSS attacks typically enable attackers to steal session cookies, perform actions on behalf of the user, or redirect victims to malicious websites. The vulnerability does not require authentication or special privileges, making it accessible to any remote attacker. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and thus could be targeted by attackers in the future. The lack of a CVSS score means severity must be assessed based on the vulnerability's characteristics: it impacts confidentiality and integrity by enabling script injection, is easy to exploit via crafted URLs, and affects all users who visit the malicious link. The affected software is a niche sales and inventory management system, often used by small and medium businesses, which may lack robust security controls. No patches or fixes are currently linked, so mitigation relies on input validation and output encoding at the application level.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected organizations. Successful exploitation could allow attackers to hijack user sessions, steal sensitive information such as credentials or business data, and manipulate the user interface to perform unauthorized actions. This can lead to unauthorized access to inventory or sales data, financial fraud, or reputational damage. Since the vulnerability is reflected XSS, it requires user interaction to click or visit a malicious link, which may limit large-scale automated exploitation but still poses a significant risk through phishing campaigns. Organizations using the affected system, especially those with web-facing interfaces accessible to external users or employees, are at risk. The absence of authentication requirements for exploitation increases the threat level. Additionally, the vulnerability could be leveraged as a stepping stone for more complex attacks, including delivering malware or conducting social engineering attacks. The overall impact is medium, considering the ease of exploitation and potential damage to business operations and data confidentiality.

To mitigate this vulnerability, organizations should immediately implement strict input validation and output encoding on the 'limit' parameter in the view_supplier.php file. Specifically, all user-supplied input should be sanitized to remove or neutralize potentially malicious characters before being reflected in the HTML response. Employing context-aware output encoding (e.g., HTML entity encoding) can prevent script execution. If source code modification is possible, developers should use secure coding libraries or frameworks that automatically handle input sanitization and output encoding. Additionally, implementing a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts in the browser. Organizations should also educate users about the risks of clicking on suspicious links and consider deploying web application firewalls (WAFs) with rules to detect and block reflected XSS attempts targeting this parameter. Monitoring web logs for unusual URL patterns involving the 'limit' parameter can help detect exploitation attempts. Finally, organizations should stay alert for official patches or updates from the software vendor and apply them promptly once available.