CVE-2026-26746

High CVSS: 8.8

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

Vendor

Opensourcepos

Product

Open Source Point Of Sale

CWE

CWE-434

Yayın Tarihi

2026-02-20 17:25:55

Güncelleme

2026-02-24 20:42:28

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-434 Open Source Point Of Sale HIGH Opensourcepos 2026

Referanslar

https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md https://github.com/opensourcepos/opensourcepos

Benzer Kayıtlar

Medium

CVE-2026-33730

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter fram…

Medium

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration…

Medium

CVE-2025-70095

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 all…

Medium

CVE-2025-70091

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute…

High

CVE-2025-70093

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

Medium

CVE-2025-70094

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attacker…