QwikSec

Security Database

CVE

CWE

Training

CVE-2026-8802

Published: May 18, 2026

Modified: May 18, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

Vendor	Product	Versions
opensourcepos	Open Source Point of Sale	affected `3.4.0` affected `3.4.1` affected `3.4.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

VDB-364435 | opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

vdb-entry

technical-description

VDB-364435 | CTI Indicators (IOB, IOC, TTP, IOA)

signature

permissions-required

Submit #802559 | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal

third-party-advisory

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5

broken-link

https://github.com/opensourcepos/opensourcepos/pull/4545

issue-tracking

patch

https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.