CVE-2026-8802

EPSS 0.39%
Veröffentlicht 18.05.2026 10:00:14
Zuletzt bearbeitet 18.05.2026 19:20:20
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstelleropensourcepos

≫

Produkt Open Source Point of Sale

Version 3.4.0

Status affected

Version 3.4.1

Status affected

Version 3.4.2

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.306

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cna@vuldb.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://vuldb.com/vuln/364435

https://vuldb.com/vuln/364435/cti

https://vuldb.com/submit/802559

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5

https://github.com/opensourcepos/opensourcepos/pull/4545

https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323

https://nvd.nist.gov/vuln/detail/CVE-2026-8802

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-8802

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-8802

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-8802