VYPR

Open Source Point Of Sale

by Opensourcepos

Source repositories

CVEs (11)

  • CVE-2026-32888HigMar 20, 2026
    risk 0.57cvss 8.8epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input…

  • CVE-2026-32712MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false…

  • CVE-2026-39380MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user…

  • CVE-2026-33730MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password…

  • CVE-2026-8803LowMay 18, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack…

  • CVE-2026-8802MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely.…

  • CVE-2025-68434Dec 17, 2025
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter…

  • CVE-2025-68147Dec 17, 2025
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration…

  • CVE-2025-66921Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

  • CVE-2025-66923Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.

  • CVE-2025-63800Nov 18, 2025
    risk 0.00cvss epss 0.00

    The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password…