OpenSourcePOS v3.4.1: Malicious AJAX Response Can Execute Unwanted Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.4

OpenSourcePOS v3.4.1: Malicious AJAX Response Can Execute Unwanted Code

CVE-2025-70093

Summary

OpenSourcePOS version 3.4.1 has a security weakness that lets hackers inject malicious code into the system. This could allow them to take control of your point of sale system. You should update to the latest version to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
opensourcepos	open_source_point_of_sale	3.4.1	–

Original title

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

Original description

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

nvd CVSS3.1 7.4

Vulnerability type

CWE-77 Command Injection

https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70093.md Exploit Mitigation Third Party Advisory
https://github.com/opensourcepos/opensourcepos/pull/4357 Issue Tracking
https://www.opensourcepos.org Product

Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026