CVE-2026-8802
opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
| CWE | CWE-22 |
| Vendor | opensourcepos |
| Product | open source point of sale |
| Published | May 18, 2026 |
| Last Updated | May 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for opensourcepos open source point of sale
Be the first to know when new medium vulnerabilities affecting opensourcepos open source point of sale are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
opensourcepos / Open Source Point of Sale
3.4.0 3.4.1 3.4.2
References
vuldb.com: https://vuldb.com/vuln/364435 vuldb.com: https://vuldb.com/vuln/364435/cti vuldb.com: https://vuldb.com/submit/802559 github.com: https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5 github.com: https://github.com/opensourcepos/opensourcepos/pull/4545 github.com: https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323
Credits
๐ Kamran Saifullah (VulDB User) VulDB CNA Team