Description
HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.
Published: 2026-04-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTML injection allows attackers to render malicious HTML in a victim’s browser, potentially leading to cross‑site scripting attacks.
Action: Monitor
AI Analysis

Impact

The vulnerability resides in the '/reports/generate/specific_customer' endpoint of PHP Point Of Sale version 19.4. Request parameters 'start_date_formatted' and 'end_date_formatted' are not properly validated, permitting an attacker to embed arbitrary HTML. This flaw can result in cross‑site scripting (XSS) when the report is generated and viewed in the user’s browser.

Affected Systems

This issue affects PHP Point Of Sale version 19.4 running within the PHP Point Of Sale software itself.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. Exploitation likely requires access to the vulnerable endpoint, which may be limited to authenticated users depending on the deployment. No official patch is currently available, so the risk remains until the vendor releases a fix or a mitigation is applied.

Generated by OpenCVE AI on April 21, 2026 at 22:45 UTC.

Remediation

Vendor Solution

There is no solution reported at this time.

OpenCVE Recommended Actions

  • Validate and escape the 'start_date_formatted' and 'end_date_formatted' parameters to prevent the insertion of raw HTML.
  • Restrict the '/reports/generate/specific_customer' endpoint so that only authenticated and authorized personnel can trigger report generation.
  • Deploy a web application firewall or input‑filtering rule that blocks or sanitizes payloads containing HTML tags before they reach the application.
  • Continuously monitor logs for unusual input patterns such as angle brackets or script tags and investigate any anomalies promptly.

Generated by OpenCVE AI on April 21, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Phppointofsale
Phppointofsale php Point Of Sale
Vendors & Products Phppointofsale
Phppointofsale php Point Of Sale

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.
Title HTML injection in PHP Point Of Sale
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Phppointofsale Php Point Of Sale
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-21T16:21:50.544Z

Reserved: 2025-04-16T09:08:43.217Z

Link: CVE-2025-41011

cve-icon Vulnrichment

Updated: 2026-04-21T16:21:45.456Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T16:16:19.143

Modified: 2026-04-21T16:20:24.180

Link: CVE-2025-41011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:21Z

Weaknesses