Low severity3.5NVD Advisory· Published Apr 8, 2026· Updated Apr 29, 2026

CVE-2026-5810

Description

A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the file /delete.php of the component GET Parameter Handler. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SourceCodester Sales and Inventory System 1.0 has a reflected XSS in delete.php via the id GET parameter, allowing session hijacking of an admin.

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The flaw is located in the /delete.php file, where the id GET parameter is reflected into the response without proper sanitization or encoding [1]. This allows an attacker to inject arbitrary JavaScript code.

Exploitation

To exploit the vulnerability, an attacker crafts a URL containing a malicious payload in the id parameter. The proof-of-concept URL http://127.0.0.1:8089/delete.php?id=%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E&table=customer_details&return=view_customers.php demonstrates that the payload is executed in the victim's browser [1]. The attack requires the victim to be authenticated as an administrator, as the delete action typically requires admin privileges [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administrator's session. This can lead to session hijacking by stealing session cookies, privilege escalation by performing actions on behalf of the admin (e.g., adding rogue accounts), or forcing the browser to make unintended state-changing requests [1].

Mitigation

As of the publication date (2026-04-08), no official patch has been released by SourceCodester [2]. The vendor's recommended to sanitize and encode all user-supplied input before reflecting it in responses. The exploit has been publicly published, increasing the risk of active use [1].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Pharmacy Sales and Inventory Systemllm-fuzzy
Range: =

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5810

Credits

5(
563742137abc (VulDB User)
reporter