Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
OpenSourcePOS 3.4.1: Malicious Access to Server Files
CVE-2026-26746
Summary
OpenSourcePOS, a point of sale software, contains a security flaw that allows an attacker to read sensitive files on the server. This could lead to further exploitation, potentially allowing an attacker to take control of the server. Update to the latest version of OpenSourcePOS to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opensourcepos | open_source_point_of_sale | 3.4.1 | – |
Original title
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice T...
Original description
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
nvd CVSS3.1
8.8
Vulnerability type
CWE-434
Unrestricted File Upload
- https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md Exploit Mitigation Third Party Advisory
- https://github.com/opensourcepos/opensourcepos Product
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026