Medium severity5.4NVD Advisory· Published Apr 7, 2026· Updated Apr 24, 2026

CVE-2026-39380

Description

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3.

Affected products

Opensourcepos/Open Source Point Of Sale
cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
Range: <3.4.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmgnvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000