CVE-2026-11518

SourceCodester Inventory System User Management users.php cross site scripting

CVSS 5.3 MEDIUMEPSS 0.4%CWE-79 CWE-94

A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Affected products

SourceCodester · Inventory System

public PoCs found — 2

githubgithub.com/Xmyronn/CVE-2026-11518-XSS★ 0 cve_referencegithub.com/Xmyronn/Stored-XSS-in-Inventory-System-using-PHP-and-MySQL.gitunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Xmyronn/Stored-XSS-in-Inventory-System-using-PHP-and-MySQL.git https://vuldb.com/cve/CVE-2026-11518 https://vuldb.com/submit/836289 https://vuldb.com/vuln/369138 https://vuldb.com/vuln/369138/cti https://www.sourcecodester.com/