cbcvebase.

Opensourcepos Open Source Point Of Sale vulnerabilities

21 known vulnerabilities affecting opensourcepos/open_source_point_of_sale.

Total CVEs
21
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH9MEDIUM11LOW1

Vulnerabilities

Page 1 of 2
CVE-2026-26746P2HIGHCVSS 8.8v3.4.12026-02-20
CVE-2026-26746 [HIGH] CWE-434 CVE-2026-26746: OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
nvd
CVE-2026-32888P3HIGHCVSS 8.8≤ 3.4.22026-03-20
CVE-2026-32888 [HIGH] CWE-89 CVE-2026-32888: Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause wit
nvd
CVE-2025-63800P3HIGHCVSS 7.5v3.4.12025-11-18
CVE-2025-63800 [HIGH] CWE-521 CVE-2025-63800: The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account pa The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets th
nvd
CVE-2025-68434P3HIGHCVSS 8.8≥ 3.4.0, < 3.4.22025-12-17
CVE-2025-68434 [HIGH] CWE-352 CVE-2025-68434: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter configuration. The CSRF protection mechanism was **explicitly disabled**, allowing the
nvd
CVE-2025-70093P3HIGHCVSS 7.4v3.4.12026-02-13
CVE-2025-70093 [HIGH] CWE-77 CVE-2025-70093: An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.
nvd
CVE-2025-66923P3HIGHCVSS 7.2v3.4.12025-12-17
CVE-2025-66923 [HIGH] CWE-20 CVE-2025-66923: A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.
nvd
CVE-2025-66921P3HIGHCVSS 7.2v3.4.12025-12-17
CVE-2025-66921 [HIGH] CWE-20 CVE-2025-66921: A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of S A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
nvd
CVE-2026-26745P3MEDIUMCVSS 5.3v3.4.12026-02-20
CVE-2026-26745 [MEDIUM] CWE-89 CVE-2026-26745: OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_s OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to mo
nvd
CVE-2022-34578P3HIGHCVSS 7.2v3.3.72022-07-28
CVE-2022-34578 [HIGH] CWE-434 CVE-2022-34578: Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability vi Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.
nvd
CVE-2026-33730P3MEDIUMCVSS 6.5fixed in 3.4.22026-03-27
CVE-2026-33730 [MEDIUM] CWE-639 CVE-2026-33730: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulati
nvd
CVE-2025-68147P3HIGHCVSS 8.1≥ 3.4.0, < 3.4.22025-12-17
CVE-2025-68147 [HIGH] CWE-79 CVE-2025-68147: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration field. The application does not properly sanitize user input before saving it t
nvd
CVE-2025-70094P4MEDIUMCVSS 6.5v3.4.12026-02-13
CVE-2025-70094 [MEDIUM] CWE-79 CVE-2025-70094: A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3 A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.
nvd
CVE-2025-70091P4MEDIUMCVSS 6.5v3.4.12026-02-13
CVE-2025-70091 [MEDIUM] CWE-79 CVE-2025-70091: A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.
nvd
CVE-2026-39380P4MEDIUMCVSS 5.4fixed in 3.4.32026-04-07
CVE-2026-39380 [MEDIUM] CWE-79 CVE-2026-39380: Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to
nvd
CVE-2025-70095P4MEDIUMCVSS 6.5v3.4.12026-02-13
CVE-2025-70095 [MEDIUM] CWE-79 CVE-2025-70095: A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of Open A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
nvd
CVE-2025-66924P4MEDIUMCVSS 6.1v3.4.12025-12-17
CVE-2025-66924 [MEDIUM] CWE-79 CVE-2025-66924: A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
nvd
CVE-2026-32712P4MEDIUMCVSS 5.4fixed in 3.4.32026-04-07
CVE-2026-32712 [MEDIUM] CWE-79 CVE-2026-32712: Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be
nvd
CVE-2025-70092P4MEDIUMCVSS 5.5v3.4.12026-02-12
CVE-2025-70092 [MEDIUM] CWE-79 CVE-2025-70092: A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter.
nvd
CVE-2026-8802P4MEDIUMCVSS 4.3v3.4.0v3.4.1+1 more2026-05-18
CVE-2026-8802 [MEDIUM] CWE-22 CVE-2026-8802: A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affe A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch
nvd
CVE-2025-68658P4MEDIUMCVSS 4.8≥ 3.4.0, < 3.4.22026-01-13
CVE-2025-68658 [MEDIUM] CWE-79 CVE-2025-68658: Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject a malici
nvd
Opensourcepos Open Source Point Of Sale vulnerabilities | cvebase