CVE-2026-11518
Description
SourceCodester Inventory System 1.0 is vulnerable to unauthenticated stored XSS via the fullname and username fields in register.php, allowing remote attackers to hijack admin sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Inventory System 1.0 is vulnerable to unauthenticated stored XSS via the fullname and username fields in register.php, allowing remote attackers to hijack admin sessions.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Inventory System version 1.0, specifically within the /register.php file of the User Management component. The fullname and username input fields do not properly sanitize or encode user-supplied data before storing it in the database. This vulnerability affects the application when an administrator views the User Management page (/users.php) [1].
Exploitation
An unauthenticated, remote attacker can exploit this vulnerability by submitting a malicious payload in the fullname or username fields on the registration page (/product_inventory/register.php). No authentication is required to access this page. Once the payload is stored, it will execute when an administrator navigates to the User Management page (/users.php) [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an administrator's browser session. This can lead to the theft of administrator session cookies, redirection to phishing pages, or the performance of any action on behalf of the administrator within the application [1].
Mitigation
SourceCodester Inventory System version 1.0 is affected. A fixed version has not yet been disclosed in the available references. No workarounds are provided [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to sanitize or encode user-supplied input before storing it in the database, and renders unsanitized payloads directly in the HTML context."
Attack vector
An unauthenticated attacker can visit the registration page (/product_inventory/register.php) and submit malicious JavaScript payloads in the 'fullname' and 'username' fields. These payloads are stored in the database without sanitization. When an administrator later views the User Management page (/product_inventory/users.php), the stored, unsanitized payloads are rendered directly in the HTML, leading to immediate JavaScript execution in the admin's browser session [ref_id=1].
Affected code
The vulnerability exists in the 'register.php' file where user input for 'fullname' and 'username' is inserted directly into the database without sanitization. The 'users.php' file then outputs these stored values without proper HTML encoding, leading to the execution of injected scripts [ref_id=1].
What the fix does
The advisory recommends encoding all output using htmlspecialchars() with ENT_QUOTES before rendering user-supplied data in HTML, and validating/sanitizing all input fields on the server side at the point of entry. Implementing a Content Security Policy (CSP) header is also suggested to mitigate XSS impact. The patch is not provided, but these measures would prevent the unsanitized data from being executed as JavaScript [ref_id=1].
Preconditions
- authNo authentication is required to inject the payload [ref_id=1].
- networkThe attack can be carried out remotely [ref_id=1].
Reproduction
Step 1 — Navigate to the Registration Page (No Auth Required) http://<TARGET>/product_inventory/register.php
Step 2 — Submit the Following Registration Form Full Name field payload: <script>alert(1)</script>
Username field payload: <script>alert(2)</script>
Password: any value (e.g., test1234)
Step 3 — HTTP Request (Burp Suite / curl) POST /product_inventory/register.php HTTP/1.1 Host: <TARGET> Content-Type: application/x-www-form-urlencoded
fullname=<script>alert(1)</script>&username=<script>alert(2)</script>&password=test1234&submit=
Step 4 — Trigger as Admin Log in as administrator and navigate to: http://<TARGET>/product_inventory/users.php
Both payloads execute immediately upon page load [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.