VYPR

Opensourcepos

by Opensourcepos

Source repositories

CVEs (15)

  • CVE-2026-32888HigMar 20, 2026
    risk 0.57cvss 8.8epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input…

  • CVE-2026-33730MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password…

  • CVE-2026-8802MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely.…

  • CVE-2026-26745Feb 20, 2026
    risk 0.00cvss epss 0.00

    OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper…

  • CVE-2026-26746Feb 20, 2026
    risk 0.00cvss epss 0.01

    OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to…

  • CVE-2025-70094Feb 13, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.

  • CVE-2025-70091Feb 13, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.

  • CVE-2025-70095Feb 13, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

  • CVE-2025-70093Feb 13, 2026
    risk 0.00cvss epss 0.00

    An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

  • CVE-2025-70092Feb 12, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter.

  • CVE-2025-68658Jan 13, 2026
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the…

  • CVE-2025-68434Dec 17, 2025
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter…

  • CVE-2025-66924Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

  • CVE-2025-66923Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.

  • CVE-2025-66921Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.