3 matches found
CVE-2026-32712
Open Source Point of Sale (OSPOS) has a Stored XSS vulnerability in the Daily Sales page prior to version 3.4.3. The issue arises from the customer_name field being configured with escape: false in the bootstrap-table setup, causing customer names to render as raw HTML. With customer management p...
CVE-2026-39380
Open Source Point of Sale (OSPOS) has a Stored XSS in the Stock Locations configuration. Before version 3.4.3, the stock_location input is not properly sanitized, allowing injected JavaScript to be stored in the database and executed when viewing the Employees interface. Affected product: OSPOS (...
CVE-2026-33730
Open Source Point of Sale (opensourcepos) is a PHP web app using CodeIgniter. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) allows an authenticated low-privilege user to access the password change functionality of other users (including administrators) by manipulating the emp...