Unrated severityNVD Advisory· Published Feb 20, 2026· Updated Feb 23, 2026
CVE-2026-26745
CVE-2026-26745
Description
OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =3.4.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.