CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:35 p.m.•6 views

CVE-2026-32712

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...

5.4CVSS5.6AI score0.00029EPSS

Exploits1References1

RedhatCVE•added 2026/06/05 7:26 p.m.•5 views

CVE-2026-39380

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...

5.4CVSS5.6AI score0.00035EPSS

Exploits1References1

RedhatCVE•added 2026/06/05 7:24 p.m.•4 views

CVE-2026-8802

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument picfilename results in path traversal. The attack may be launched remotely. The patch is...

5.3CVSS5.2AI score0.00053EPSS

NVD•added 2026/06/03 7:16 p.m.•4 views

CVE-2026-42839

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the itemname, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...

4.8CVSS0.00046EPSS

NVD•added 2026/06/03 7:16 p.m.•7 views

CVE-2026-42840

An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...

5.1CVSS0.00052EPSS

EUVD•added 2026/06/03 5:44 p.m.•6 views

EUVD-2026-34158

4.8CVSS5.9AI score0.00046EPSS

Vulnrichment•added 2026/06/03 5:44 p.m.•6 views

CVE-2026-42839 ERPNext 16.16.0 - Stored XSS in POS cart item rendering

4.8CVSS5.9AI score0.00046EPSS

Cvelist•added 2026/06/03 5:44 p.m.•28 views

CVE-2026-42839 ERPNext 16.16.0 - Stored XSS in POS cart item rendering

4.8CVSS0.00046EPSS

EUVD•added 2026/06/03 5:35 p.m.•6 views

EUVD-2026-34157

CVE•added 2026/06/03 5:35 p.m.•7 views

CVE-2026-42840

CVE-2026-42840 affects ERPNext 16.16.0. An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record, triggering unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. The underlying flaw is un...

Vulnrichment•added 2026/06/03 5:35 p.m.•5 views

CVE-2026-42840 ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals

ATTACKERKB•added 2026/06/03 5:35 p.m.•4 views

CVE-2026-42840

Exploits0References3Affected Software1

Cvelist•added 2026/06/03 5:35 p.m.•29 views

CVE-2026-42840 ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals

5.1CVSS0.00052EPSS

Positive Technologies•added 2026/06/03 12:0 a.m.•6 views

PT-2026-46043

Name of the Vulnerable Software and Affected Versions ERPNext version 16.16.0 Description An authenticated user with permissions to edit Item records can inject arbitrary HTML or JavaScript into the item name, description, or image fields of an Item. This leads to unescaped rendering in the Point...

4.8CVSS5.9AI score0.00046EPSS

Cvelist•added 2026/05/27 2:25 a.m.•28 views

CVE-2026-48999 Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session...

5.7CVSS0.00033EPSS

RedhatCVE•added 2026/05/26 8:15 p.m.•8 views

CVE-2026-9444

A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely...

5.8CVSS5.7AI score0.00036EPSS

Cvelist•added 2026/05/25 9:45 a.m.•34 views

CVE-2026-9447 SourceCodester Simple POS and Inventory System search.php sql injection

A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has be...

7.5CVSS0.00039EPSS

EUVD•added 2026/05/25 9:45 a.m.•7 views

EUVD-2026-31663

7.5CVSS6.9AI score0.00039EPSS

CVE•added 2026/05/25 9:30 a.m.•18 views

CVE-2026-9446

CVE-2026-9446 affects SourceCodester Simple POS and Inventory System 1.0. The vulnerability is an SQL injection in /admin/edit_customer.php (parameter ID). Root cause: unsafely constructed SQL from user-controlled input, enabling remote exploitation. Exploit status in docs indicates public disclo...

5.8CVSS5.7AI score0.00036EPSS