Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities found for Open Source Point of Sale by opensourcepos

    CVE-2026-8803 (GCVE-0-2026-8803)

    Vulnerability from nvd – Published: 2026-05-18 11:30 – Updated: 2026-05-19 16:20 Disputed
    VLAI
    Title
    opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash
    Summary
    A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/364436 vdb-entrytechnical-description
    https://vuldb.com/vuln/364436/cti signaturepermissions-required
    https://vuldb.com/submit/802561 third-party-advisory
    Impacted products
    Vendor Product Version
    opensourcepos Open Source Point of Sale Affected: 3.4.0
    Affected: 3.4.1
    Affected: 3.4.2
        cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Kamran Saifullah (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-19T16:19:49.176036Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-19T16:20:03.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Employee Login"
              ],
              "product": "Open Source Point of Sale",
              "vendor": "opensourcepos",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                },
                {
                  "status": "affected",
                  "version": "3.4.1"
                },
                {
                  "status": "affected",
                  "version": "3.4.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kamran Saifullah (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: \"[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it\u0027s not actively in use as any password change will use a newer hash function.\""
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-18T11:30:08.931Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-364436 | opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/364436"
            },
            {
              "name": "VDB-364436 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/364436/cti"
            },
            {
              "name": "Submit #802561 | opensourcepos Open Source Point of Sale 3.4.1 Weak Encoding for Password",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/802561"
            }
          ],
          "tags": [
            "disputed"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-18T06:43:04.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-8803",
        "datePublished": "2026-05-18T11:30:08.931Z",
        "dateReserved": "2026-05-18T04:37:54.529Z",
        "dateUpdated": "2026-05-19T16:20:03.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8802 (GCVE-0-2026-8802)

    Vulnerability from nvd – Published: 2026-05-18 10:00 – Updated: 2026-05-18 13:12 X_Open Source
    VLAI
    Title
    opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal
    Summary
    A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    opensourcepos Open Source Point of Sale Affected: 3.4.0
    Affected: 3.4.1
    Affected: 3.4.2
        cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Kamran Saifullah (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-18T13:12:17.880373Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-18T13:12:29.186Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*"
              ],
              "product": "Open Source Point of Sale",
              "vendor": "opensourcepos",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                },
                {
                  "status": "affected",
                  "version": "3.4.1"
                },
                {
                  "status": "affected",
                  "version": "3.4.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kamran Saifullah (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-18T10:00:14.027Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-364435 | opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/364435"
            },
            {
              "name": "VDB-364435 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/364435/cti"
            },
            {
              "name": "Submit #802559 | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/802559"
            },
            {
              "tags": [
                "broken-link"
              ],
              "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/opensourcepos/opensourcepos/pull/4545"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-18T06:43:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-8802",
        "datePublished": "2026-05-18T10:00:14.027Z",
        "dateReserved": "2026-05-18T04:37:48.556Z",
        "dateUpdated": "2026-05-18T13:12:29.186Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8803 (GCVE-0-2026-8803)

    Vulnerability from cvelistv5 – Published: 2026-05-18 11:30 – Updated: 2026-05-19 16:20 Disputed
    VLAI
    Title
    opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash
    Summary
    A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/364436 vdb-entrytechnical-description
    https://vuldb.com/vuln/364436/cti signaturepermissions-required
    https://vuldb.com/submit/802561 third-party-advisory
    Impacted products
    Vendor Product Version
    opensourcepos Open Source Point of Sale Affected: 3.4.0
    Affected: 3.4.1
    Affected: 3.4.2
        cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Kamran Saifullah (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-19T16:19:49.176036Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-19T16:20:03.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Employee Login"
              ],
              "product": "Open Source Point of Sale",
              "vendor": "opensourcepos",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                },
                {
                  "status": "affected",
                  "version": "3.4.1"
                },
                {
                  "status": "affected",
                  "version": "3.4.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kamran Saifullah (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: \"[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it\u0027s not actively in use as any password change will use a newer hash function.\""
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-18T11:30:08.931Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-364436 | opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/364436"
            },
            {
              "name": "VDB-364436 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/364436/cti"
            },
            {
              "name": "Submit #802561 | opensourcepos Open Source Point of Sale 3.4.1 Weak Encoding for Password",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/802561"
            }
          ],
          "tags": [
            "disputed"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-18T06:43:04.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-8803",
        "datePublished": "2026-05-18T11:30:08.931Z",
        "dateReserved": "2026-05-18T04:37:54.529Z",
        "dateUpdated": "2026-05-19T16:20:03.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8802 (GCVE-0-2026-8802)

    Vulnerability from cvelistv5 – Published: 2026-05-18 10:00 – Updated: 2026-05-18 13:12 X_Open Source
    VLAI
    Title
    opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal
    Summary
    A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    opensourcepos Open Source Point of Sale Affected: 3.4.0
    Affected: 3.4.1
    Affected: 3.4.2
        cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Kamran Saifullah (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-18T13:12:17.880373Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-18T13:12:29.186Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*"
              ],
              "product": "Open Source Point of Sale",
              "vendor": "opensourcepos",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                },
                {
                  "status": "affected",
                  "version": "3.4.1"
                },
                {
                  "status": "affected",
                  "version": "3.4.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kamran Saifullah (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-18T10:00:14.027Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-364435 | opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/364435"
            },
            {
              "name": "VDB-364435 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/364435/cti"
            },
            {
              "name": "Submit #802559 | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/802559"
            },
            {
              "tags": [
                "broken-link"
              ],
              "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/opensourcepos/opensourcepos/pull/4545"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-18T06:43:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-8802",
        "datePublished": "2026-05-18T10:00:14.027Z",
        "dateReserved": "2026-05-18T04:37:48.556Z",
        "dateUpdated": "2026-05-18T13:12:29.186Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }