CVE-2026-8802
Description
A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open Source Point of Sale ≤3.4.2 has a path traversal in getPicThumb() allowing authenticated remote attackers to read arbitrary files.
Vulnerability
Overview
CVE-2026-8802 describes a path traversal vulnerability in Open Source Point of Sale (opensourcepos) versions up to and including 3.4.2. The flaw resides in the getPicThumb function within app/Controllers/Items.php. The pic_filename parameter is not sanitized before being used in file operations, allowing an attacker to inject directory traversal sequences such as ../ to access files outside the intended upload directory [1][2].
Exploitation
An attacker must be authenticated to the application to reach the vulnerable endpoint. The attack is launched remotely by sending a crafted request with a malicious pic_filename value. The original code used rawurldecode() on the filename but did not strip directory components, enabling traversal. The fix applies basename() to remove any directory path and validates the file extension against an allowlist of image types, returning a 400 error for invalid types [1].
Impact
Successful exploitation allows an authenticated attacker to read arbitrary files on the server, including sensitive configuration files such as .env, database credentials, encryption keys, and other application secrets. This could lead to further compromise of the system and data exposure [2].
Mitigation
The vendor has released a patch in commit def0c27a0e252668df8d942fc31e16d1edfd7323 and pull request #4545. Users should be applied to all affected versions (≤3.4.2). No workaround is documented; upgrading to a patched version is the recommended remediation [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.4.2
Patches
1def0c27a0e25fix(security): Path traversal vulnerability in getPicThumb (#4545)
1 file changed · +17 −2
app/Controllers/Items.php+17 −2 modified@@ -154,8 +154,23 @@ public function getPicThumb(string $pic_filename): ResponseInterface { helper('file'); - $pic_filename = rawurldecode($pic_filename); - $file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION); + // Security: Sanitize filename to prevent path traversal + // Use basename() to strip directory components and prevent '../' attacks + $pic_filename = basename(rawurldecode($pic_filename)); + $file_extension = strtolower(pathinfo($pic_filename, PATHINFO_EXTENSION)); + + // Validate file extension against system-configured allowed image types + // Handle both legacy pipe-separated and current comma-separated formats + // Fallback to types that GD library can process for thumbnail generation + $allowed_types = $this->config['image_allowed_types'] ?? 'jpg,jpeg,gif,png,webp,bmp,tif,tiff'; + $allowed_extensions = strpos($allowed_types, '|') !== false + ? explode('|', $allowed_types) + : explode(',', $allowed_types); + + if (!in_array($file_extension, $allowed_extensions, true)) { + return $this->response->setStatusCode(400)->setBody('Invalid file type'); + } + $images = glob("./uploads/item_pics/$pic_filename"); $base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
6News mentions
0No linked articles in our index yet.