CVE-2026-9413 PUBLISHED

A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.

• c4ttr4ck (VulDB User) reporter

• VDB-365394 | SourceCodester Indian Invoicing System category.php cross site scripting
• VDB-365394 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #813609 | SourceCodester Invoicing System In PHP 1.0 Reflected Cross-Site Scripting (XSS) + SQL Injection
• https://gist.github.com/c4ttr4ck/cb6a07bc54600a14de2676d8b96c3026
• https://www.sourcecodester.com/

• Cross Site Scripting CWE
• Code Injection CWE