CVE-2026-8803
published 2026-05-18CVE-2026-8803: A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the…
PriorityP415low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.18%
7.9th percentile
A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensourcepos | open_source_point_of_sale | — | — |
| opensourcepos | open_source_point_of_sale | — | — |
| opensourcepos | open_source_point_of_sale | — | — |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
opensourcepos Open Source Point of Sale up to 3.4.2 Employee Login app/Models/Employee.php login weak hash (EUVD-2026-30768)
vuldb·2026-05-18·CVSS 6.3
CVE-2026-8803 [MEDIUM] opensourcepos Open Source Point of Sale up to 3.4.2 Employee Login app/Models/Employee.php login weak hash (EUVD-2026-30768)
A vulnerability, which was classified as problematic, has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash.
This vulnerability is registered as CVE-2026-8803. Remote exploitation of the attack is possible. No exploit is available.
The actual existence of this vulnerability is currently in question.
The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash
GHSA
GHSA-2gcj-979q-prrq: A flaw has been found in opensourcepos Open Source Point of Sale up to 3
ghsa_unreviewed·2026-05-18
CVE-2026-8803 [MEDIUM] CWE-327 GHSA-2gcj-979q-prrq: A flaw has been found in opensourcepos Open Source Point of Sale up to 3
A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
No detection rules found.
No public exploits indexed.
2026-05-18
Published