CVE-2026-26745

Medium CVSS: 5.3

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.

Vendor

Opensourcepos

Product

Open Source Point Of Sale

CWE

CWE-89

Yayın Tarihi

2026-02-20 17:25:55

Güncelleme

2026-02-24 20:45:24

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-89 Open Source Point Of Sale MEDIUM Opensourcepos 2026

Referanslar

https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md https://github.com/opensourcepos/opensourcepos

Benzer Kayıtlar

Medium

CVE-2026-33730

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter fram…

High

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An atta…

Medium

CVE-2025-70095

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 all…

Medium

CVE-2025-70091

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute…

High

CVE-2025-70093

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

Medium

CVE-2025-70094

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attacker…