CVE-2025-70093

OpenSourcePOS v3.4.1 is affected by CVE-2025-70093, described as an arbitrary code execution vulnerability triggered by returning a crafted AJAX response. The available sources corroborate a high-severity issue (CVSS 7.4; network attack, no user interaction) affecting OpenSourcePOS 3.4.1. The doc...

PT-2026-7996

A cross-site scripting XSS vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter...

CVE-2025-70091

A cross-site scripting XSS vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter...

opensourcepos 安全漏洞

OpenSourcePOS is an open-source point-of-sale system. Version 3.4.1 of OpenSourcePOS contains a security vulnerability. This vulnerability stems from insufficient input validation for the Item Category parameter in the Generate Item Barcode function, which may lead to cross-site scripting attacks...

CVE-2025-70092

A cross-site scripting XSS vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter...

PT-2026-7917

Name of the Vulnerable Software and Affected Versions OpenSourcePOS version 3.4.1 Description An issue exists in the Item Kits function that permits the execution of arbitrary web scripts or HTML. This occurs through the injection of a crafted payload into the Item Name parameter. The vulnerabili...

CVE-2025-70092

OpenSourcePOS 3.4.1 contains a cross-site scripting (XSS) vulnerability in the Item Kits function. An attacker can inject arbitrary web scripts or HTML via the Item Name parameter, potentially affecting users interacting with the Item Kits UI. The description notes the vulnerability but does not ...

opensourcepos 安全漏洞

OpenSourcePOS is an open-source point-of-sale system. Version OpenSourcePOS 3.4.1 contains a security vulnerability, which stems from insufficient input validation for the Item Name parameter in the Item Kits function. This vulnerability may lead to cross-site scripting attacks...

CVE-2025-68658

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration Information functionality. An authenticated user with the permission “Configuration...

CVE-2025-68658 Open Source Point of Sale (opensourcepos) Stored XSS in Configuration (Information) – Company Name field

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration Information functionality. An authenticated user with the permission “Configuration...

CVE-2025-68434 opensourcepos has Cross-Site Request Forgery vulnerability that leads to Unauthorized Administrator Creation

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery CSRF vulnerability exists in the application's filter configuration. The CSRF protection...

CVE-2025-68434

CVE-2025-68434 affects OpenSourcePOS 3.4.0–3.4.1, where CSRF protection was explicitly disabled in the global filters, allowing a logged-in administrator’s browser to be coerced into making state-changing POST requests and silently create a new Administrator account. The issue is fixed in 3.4.2 b...

Exploit for CVE-2025-68147

CVE-2025-68147: Stored Cross-Site Scripting XSS in OpenSourc...

opensourcepos 安全漏洞

opensourcepos is a point-of-sale system from opensourcepos open source. A security vulnerability exists in opensourcepos version 3.4.1, which stems from a lack of server-side authentication and could lead to the setting of empty passwords and unauthorized access...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description CSRF on logout functionality. Attacker able to logout the user by sending malicious link Proof of Concept Impact This vulnerability is capable of logout the user session Note This is not an attack, it is a kind of annoyance to the user , though it is a valid csrf . By Using post metho...

Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Description Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category Proof of Concept 1. Login to the demo account 2. Go to item kits , edit any item and add payload in barcode field and click save 3. payload " 4. poc 1 https://ibb.co/ZJZLKdQ 5. poc 2...

Cross-site Scripting (XSS) - Stored in opensourcepos/opensourcepos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js 1-- Just got https://demo.opensourcepos.org/messages 2-- send a payload on number phone field . 3-- you will get an...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description Hello, there is another CSRF vulnerability on your nice application on the following endpoint. /sales/deleteitem/saleid...

in opensourcepos/opensourcepos

Description The use == and != of might cause type juggling at the affected code if $row-hashversion == 1. Proof of Concept If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row-password == md5$password Impact This...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/itemkits/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...