CVE-2026-11518

🗓️ 08 Jun 2026 13:30:11Reported by VulDBType

cve🔗 web.nvd.nist.gov👁 23 Views🌐 WEB

CVE-2026-11518 affects SourceCodester Inventory System 1.0; /users.php enables remote cross site scripting via fullname or username.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-11518	8 Jun 202613:30	–	attackerkb
CNNVD	SourceCodester Inventory System 跨站脚本漏洞	8 Jun 202600:00	–	cnnvd
Cvelist	CVE-2026-11518 SourceCodester Inventory System User Management users.php cross site scripting	8 Jun 202613:30	–	cvelist
EUVD	EUVD-2026-35068	8 Jun 202613:30	–	euvd
NVD	CVE-2026-11518	8 Jun 202615:16	–	nvd
Positive Technologies	PT-2026-47292	8 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-11518	9 Jun 202614:59	–	redhatcve
Vulnrichment	CVE-2026-11518 SourceCodester Inventory System User Management users.php cross site scripting	8 Jun 202613:30	–	vulnrichment

Vulners

Node

sourcecodester inventory_systemMatch1.0

[
  {
    "vendor": "SourceCodester",
    "product": "Inventory System",
    "versions": [
      {
        "version": "1.0",
        "status": "affected"
      }
    ],
    "cpes": [
      "cpe:2.3:a:sourcecodester:inventory_system:*:*:*:*:*:*:*:*"
    ],
    "modules": [
      "User Management Page"
    ]
  }
]

Source	Link
vuldb	www.vuldb.com/vuln/369138/cti
sourcecodester	www.sourcecodester.com/
github	www.github.com/Xmyronn/Stored-XSS-in-Inventory-System-using-PHP-and-MySQL.git
vuldb	www.vuldb.com/submit/836289
vuldb	www.vuldb.com/cve/CVE-2026-11518
vuldb	www.vuldb.com/vuln/369138

Parameter	Position	Path	Description	CWE
fullname	query param	/users.php	Cross-site scripting via manipulation of fullname/username parameters in the User Management Page (/users.php).	CWE-79, CWE-94
username	query param	/users.php	Cross-site scripting via manipulation of fullname/username parameters in the User Management Page (/users.php).	CWE-79, CWE-94

17 Jun 2026 10:14Current

3.7Low risk

Vulners AI Score3.7

CVSS 3.14.3

CVSS 25

CVSS 45.3

CVSS 34.3

EPSS0.00388

SSVC