CVE-2026-8802

EUVD-2026-30761

18.05.2026, 11:16

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
VulDB	CNA	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
opensourcepos	open_source_point_of_sale	3.4.0	CNA
opensourcepos	open_source_point_of_sale	3.4.1	CNA
opensourcepos	open_source_point_of_sale	3.4.2	CNA

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323

https://github.com/opensourcepos/opensourcepos/pull/4545

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5

https://vuldb.com/submit/802559

https://vuldb.com/vuln/364435

https://vuldb.com/vuln/364435/cti