CVE-2026-11520: XSS Vulnerability in SourceCodester Inventory System 1.0
SourceCodester Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in the header.php file that allows authenticated users to inject malicious scripts through multiple parameters. An attacker with valid credentials can craft a specially crafted request to inject JavaScript that executes in the browsers of other users, potentially stealing session data or performing unauthorized actions on their behalf. Public exploit code is available, increasing the practical risk despite the low CVSS score.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in SourceCodester Inventory System 1.0. Affected by this issue is some unknown functionality of the file header.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Multiple parameters might be affected.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a reflected or stored XSS flaw (CWE-79) present in header.php of SourceCodester Inventory System 1.0. The application fails to properly sanitize or encode user-supplied input across multiple parameters before rendering them in web responses. The attack vector is network-based and requires an authenticated user account (PR:L) plus user interaction (UI:R) from the victim. The weakness also carries CWE-94 implications, suggesting possible code evaluation risks depending on implementation context. Exploitation does not breach confidentiality or availability but can compromise application integrity through script injection.
Business impact
While rated LOW severity, this vulnerability poses a meaningful insider threat and compliance risk. Authenticated attackers (employees, contractors, or compromised accounts) can inject scripts to harvest credentials, manipulate business logic in the inventory system, or redirect users to fraudulent sites. For organizations using this system to manage stock, procurement, or supply chain data, malicious script execution could lead to false inventory counts, unauthorized stock transfers, or audit trail corruption. The public availability of exploits lowers the barrier for opportunistic attackers.
Affected systems
SourceCodester Inventory System version 1.0 is affected. No specific patch versions or subsequent releases were listed in the advisory data provided. Organizations should verify their exact version and check the vendor's website or advisory channels for available updates or mitigation guidance.
Exploitability
Exploitability is moderate in practice despite the low CVSS score. The attack requires authentication and user interaction, limiting opportunistic external exploitation. However, internal threat actors with valid accounts face minimal friction; they can craft a malicious link and send it to colleagues via email or chat, leveraging trust to trigger the XSS. Public exploit availability means attackers do not need to invest in discovery or payload development. The multiple affected parameters suggest broad attack surface within the application.
Remediation
Immediate patching is the primary remediation path—contact SourceCodester or check their official security advisories for a fixed version of Inventory System. Until patching is possible, implement strict Content Security Policy (CSP) headers to restrict inline script execution, apply input validation to reject or encode special characters in all parameters, and enforce output encoding when rendering user-controlled data. Consider temporarily restricting access to header.php functionality or the entire Inventory System to users with genuine business need. Review user access logs for suspicious parameter injection attempts.
Patch guidance
Check the SourceCodester website or GitHub repository for version 1.0.1 or later, or any security advisory naming specific patch versions. Apply patches immediately upon availability given the public exploit landscape. Test patches in a staging environment before production deployment to ensure no functionality regression in inventory tracking or reporting.
Detection guidance
Monitor web application logs for unusual characters or script tags (e.g., <script>, javascript:, onerror=) in HTTP parameters passed to header.php. Correlation with failed or suspicious user sessions may identify exploitation attempts. Deploy a Web Application Firewall (WAF) configured to detect and block reflected XSS payloads. Review browser security logs for console errors indicating injected scripts. Look for abnormal inventory data changes or user account modifications that coincide with suspicious parameter values in access logs.
Why prioritize this
Although CVSS scores LOW severity, prioritize this for remediation due to public exploit availability and the authenticated-but-low-friction attack path. Insider threats and compromised accounts amplify risk; XSS execution can corrupt sensitive inventory records or compromise other user sessions. The multiple affected parameters enlarge the attack surface, making defense-in-depth measures essential.
Risk score, explained
The CVSS 3.1 score of 3.5 (LOW) reflects the requirement for authentication and user interaction, both of which significantly constrain severity in a traditional external attacker scenario. However, this scoring methodology underweights insider threats and the real-world impact of public exploit code. Organizations with high-privilege or large populations of system users should weight this risk higher than the base score suggests.
Frequently asked questions
Does this vulnerability affect Inventory System versions other than 1.0?
The advisory data provided only confirms version 1.0. Contact SourceCodester or review their security advisory to determine if other versions are impacted.
Can an unauthenticated attacker exploit this vulnerability?
No. The CVSS vector specifies PR:L (authentication required). An attacker must have valid credentials to access the affected functionality.
What is the practical difference between this LOW score and a MEDIUM severity XSS?
This vulnerability requires both authentication and user interaction (clicking a crafted link), whereas many MEDIUM-scored XSS issues bypass one or both of those controls. The low CVSS reflects a higher bar to exploitation; public exploit availability and insider threat potential are not captured in the score and should inform your organizational risk assessment.
Should we take this seriously if we have only a few trusted users?
Yes. Even in low-user environments, a single compromised account or malicious insider can inject scripts to manipulate inventory data, harvest other users' session tokens, or trigger supply chain disruptions. Public exploit code lowers the skill floor for exploitation.
This analysis is provided for informational purposes and reflects the vulnerability data available as of the publication date. CVSS scores and severity ratings are assigned by official sources; your organization's risk assessment may differ based on local context, user populations, and threat model. Always consult vendor security advisories for authoritative patch guidance and affected version lists. SEC.co does not provide legal or compliance advice; coordinate patching and remediation with your security and compliance teams. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0