CVE-2026-9414

LOW

SourceCodester Indian Invoicing System Invoice Template Render Database-Backed add_order.php cross site scripting

Title source: cna

Description

A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-365395 | SourceCodester Indian Invoicing System Invoice Template Render Database-Backed add_order.php cross site scripting

https://vuldb.com/vuln/365395

Signature, Permissions Required signature permissions-required

VDB-365395 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365395/cti

Third Party Advisory third-party-advisory

Submit #813610 | SourceCodester Invoicing System In PHP 1.0 Stored XSS

https://vuldb.com/submit/813610

Exploit exploit

https://gist.github.com/c4ttr4ck/97c5babe1f16fa3243333528a40b7550

Product product

https://www.sourcecodester.com/

Scores

CVSS v3 3.5

EPSS 0.0025

EPSS Percentile 15.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (2)

SourceCodester/Indian Invoicing System 0.*

SourceCodester/Indian Invoicing System 1.0

Published May 25, 2026

Tracked Since May 25, 2026