Medium severityNVD Advisory· Published Jul 31, 2025· Updated Apr 15, 2026

CVE-2025-40980

Description

A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products/<PRODUCT_ID>/edit’, affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in UltimatePOS allows an authenticated attacker to inject malicious scripts via the product name field, potentially stealing session cookies.

Vulnerability

Description A stored cross-site scripting (XSS) vulnerability has been identified in UltimatePOS by UltimateFosters. The issue originates from insufficient input validation in the product name parameter during editing via the /products/<PRODUCT_ID>/edit endpoint. An attacker can inject arbitrary JavaScript code that is then stored and executed within the application's interface. [1]

Exploitation

Context To exploit this vulnerability, an attacker needs valid credentials for the UltimatePOS application, as the edit functionality is accessible only to authenticated users. The crafted payload is delivered through a POST request to the product edit page, where the malicious script is stored in the 'name' parameter. When another authenticated user views the affected product details, the injected script executes in their browser session. [1]

Potential

Impact Successful exploitation could allow the attacker to steal session cookies of other users, leading to account hijacking or unauthorized access. The CVSS v4.0 score of 5.1 (Medium) reflects the requirement for user interaction and the limited scope impact. [1]

Mitigation

The vendor has released a fix in version 6.7 of UltimatePOS. Users are advised to update to the latest version to remediate the vulnerability. [1]

References

Cross-Site Scripting (XSS) in UltimatePOS

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ultimatefosters/UltimatePOSllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-ultimateposnvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000