Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenSourcePOS 3.4.1: SQL Injection in Currency Configuration
CVE-2026-26745
Summary
OpenSourcePOS version 3.4.1 has a security weakness that allows attackers to manipulate data in the system. This could lead to unauthorized access or data tampering. To protect your business, update to a fixed version of OpenSourcePOS or take action to restrict access to the currency configuration settings.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opensourcepos | open_source_point_of_sale | 3.4.1 | – |
Original title
OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it...
Original description
OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.
nvd CVSS3.1
5.3
Vulnerability type
CWE-89
SQL Injection
- https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md Exploit Mitigation Third Party Advisory
- https://github.com/opensourcepos/opensourcepos Product
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026