CVE-2026-8803

Open Source POS (opensourcepos) up to version 3.4.2 has a vulnerability in the Login function (app/Models/Employee.php) where weak password hashing is used. The issue arises from the default password being seeded with an older hash, then migrated after login, with a hash version check that may be...

CVE-2026-8802 opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument picfilename results in path traversal. The attack may be launched remotely. The patch is...

PT-2026-41671

Name of the Vulnerable Software and Affected Versions opensourcepos Open Source Point of Sale versions prior to 3.4.3 Description A flaw in the Employee Login component allows for the use of a weak hash. The issue is located in the Login function within the app/Models/Employee.php file. This...

CVE-2026-33730

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference IDOR vulnerability allows an authenticated low-privileged user to access the password change functionality of...

CVE-2026-33730 Open Source Point of Sale has an IDOR in Password Change (Home)

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference IDOR vulnerability allows an authenticated low-privileged user to access the password change functionality of...

CVE-2026-33730

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference IDOR vulnerability allows an authenticated low-privileged user to access the password change functionality of...

CVE-2026-33730

Open Source Point of Sale (opensourcepos) is a PHP web app using CodeIgniter. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) allows an authenticated low-privilege user to access the password change functionality of other users (including administrators) by manipulating the emp...

CVE-2026-32888

CVE-2026-32888 affects Open Source Point of Sale (PHP, CodeIgniter). A SQL Injection exists in the Items search functionality when the custom attribute search feature (search_custom) is enabled: user input from the search GET parameter is interpolated directly into a HAVING clause without paramet...

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion LFI vulnerability in the Sales.php::getInvoice function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code...

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currencysymbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or...

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion LFI vulnerability in the Sales.php::getInvoice function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code...

CVE-2026-26745

OpenSourcePOS 3.4.1 is affected by a second‑order SQLi in the currency_symbol configuration field. The input is stored without sanitization and later concatenated into a dynamically constructed SQL query, allowing an attacker who can modify currency_symbol to inject arbitrary SQL that is executed...

opensourcepos 安全漏洞

opensourcepos is an open-source POS system developed by opensourcepos. Version 3.4.1 of opensourcepos contains a security vulnerability. This vulnerability stems from the Sales.php::getInvoice function, which involves local file inclusion, potentially allowing for the reading of arbitrary files o...

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion LFI vulnerability in the Sales.php::getInvoice function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code...

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currencysymbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or...

PT-2026-21256

Name of the Vulnerable Software and Affected Versions OpenSourcePOS version 3.4.1 Description The application contains a Local File Inclusion LFI issue within the Sales.php::getInvoice function. An attacker can potentially read arbitrary files on the web server by manipulating the Invoice Type...

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currencysymbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or...

CVE-2025-70091

A cross-site scripting XSS vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter...

CVE-2025-70095

A cross-site scripting XSS vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...

CVE-2025-70095

A cross-site scripting XSS vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...