EUVD-2026-30761

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument picfilename results in path traversal. The attack may be launched remotely. The patch is...

PT-2026-41666

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic filename results in path traversal. The attack may be launched remotely. The patch is...

opensourcepos 安全漏洞

opensourcepos is an open-source POS system developed by opensourcepos. Version 3.4.1 of opensourcepos contains a security vulnerability, which stems from improper handling of the currencysymbol configuration field. This vulnerability may lead to a second-level SQL injection attack...

opensourcepos 安全漏洞

opensourcepos is an open-source POS system developed by opensourcepos. Version 3.4.1 of opensourcepos contains a security vulnerability. This vulnerability stems from insufficient input validation for the Phone Number parameter in the Customers function, which may lead to cross-site scripting...

CVE-2025-68658

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration Information functionality. An authenticated user with the permission “Configuration...

CVE-2025-68658 Open Source Point of Sale (opensourcepos) Stored XSS in Configuration (Information) – Company Name field

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration Information functionality. An authenticated user with the permission “Configuration...

CVE-2025-68434

CVE-2025-68434 affects OpenSourcePOS 3.4.0–3.4.1, where CSRF protection was explicitly disabled in the global filters, allowing a logged-in administrator’s browser to be coerced into making state-changing POST requests and silently create a new Administrator account. The issue is fixed in 3.4.2 b...

CVE-2025-68434 opensourcepos has Cross-Site Request Forgery vulnerability that leads to Unauthorized Administrator Creation

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery CSRF vulnerability exists in the application's filter configuration. The CSRF protection...

opensourcepos 安全漏洞

opensourcepos is a point-of-sale system from opensourcepos open source. A security vulnerability exists in opensourcepos version 3.4.1, which stems from a lack of server-side authentication and could lead to the setting of empty passwords and unauthorized access...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description CSRF on logout functionality. Attacker able to logout the user by sending malicious link Proof of Concept Impact This vulnerability is capable of logout the user session Note This is not an attack, it is a kind of annoyance to the user , though it is a valid csrf . By Using post metho...

Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Description Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category Proof of Concept 1. Login to the demo account 2. Go to item kits , edit any item and add payload in barcode field and click save 3. payload " 4. poc 1 https://ibb.co/ZJZLKdQ 5. poc 2...

Cross-site Scripting (XSS) - Stored in opensourcepos/opensourcepos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept // PoC.js 1-- Just got https://demo.opensourcepos.org/messages 2-- send a payload on number phone field . 3-- you will get an...

Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Description Hello, there is another CSRF vulnerability on your nice application on the following endpoint. /sales/deleteitem/saleid...

in opensourcepos/opensourcepos

Description The use == and != of might cause type juggling at the affected code if $row-hashversion == 1. Proof of Concept If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row-password == md5$password Impact This...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/itemkits/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/giftcards/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/attributes/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original...

SQL Injection in opensourcepos/opensourcepos

✍️ Description The Application is vulnerable to blind SQL Injection 🕵️‍♂️ Proof of Concept URL: https://dev.opensourcepos.org/suppliers/search?sort=1 Vulnerable Parameter: sort SQLMap POC --- Parameter: sort GET Type: boolean-based blind Title: Boolean-based blind - Parameter replace original value...