VYPR
Vendor

Opensourcepos

Products
2
CVEs
20
Across products
26
Status
Private

Products

2

Recent CVEs

20
  • CVE-2026-32888HigMar 20, 2026
    risk 0.57cvss 8.8epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input…

  • CVE-2026-32712MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false…

  • CVE-2026-39380MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user…

  • CVE-2026-33730MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password…

  • CVE-2026-8803LowMay 18, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack…

  • CVE-2026-8802MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely.…

  • CVE-2026-26745Feb 20, 2026
    risk 0.00cvss epss 0.00

    OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper…

  • CVE-2026-26746Feb 20, 2026
    risk 0.00cvss epss 0.01

    OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to…

  • CVE-2025-70093Feb 13, 2026
    risk 0.00cvss epss 0.00

    An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

  • CVE-2025-70095Feb 13, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

  • CVE-2025-70094Feb 13, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.

  • CVE-2025-70091Feb 13, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.

  • CVE-2025-70092Feb 12, 2026
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter.

  • CVE-2025-68658Jan 13, 2026
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the…

  • CVE-2025-68434Dec 17, 2025
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter…

  • CVE-2025-68147Dec 17, 2025
    risk 0.00cvss epss 0.00

    Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration…

  • CVE-2025-66921Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

  • CVE-2025-66924Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

  • CVE-2025-66923Dec 17, 2025
    risk 0.00cvss epss 0.00

    A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.

  • CVE-2025-63800Nov 18, 2025
    risk 0.00cvss epss 0.00

    The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password…