Description
OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise and Unauthorized Database Access
Action: Patch Now
AI Analysis

Impact

OpenSourcePOS version 3.4.1 contains a second‑order SQL injection vulnerability in the handling of the currency_symbol configuration field. The input is stored as entered and later concatenated into a dynamically constructed SQL query without sanitization or parameter binding. This flaw allows an attacker who can modify the currency_symbol value to inject arbitrary SQL expressions that are executed when the query is processed, potentially exposing or altering sensitive data. The weakness is identified as CWE‑89.

Affected Systems

The affected software is OpenSourcePOS, an open‑source point‑of‑sale application, specifically version 3.4.1 No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits are documented. Exploitation requires the attacker to have permissions to modify the currency_symbol setting, typically through administrative access to the application shell or configuration interface. The likely attack vector is a privileged user changing the configuration, and based on the description, it is inferred that once that access is achieved the attacker can execute arbitrary SQL commands, compromising database confidentiality and integrity.

Generated by OpenCVE AI on April 18, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched release of OpenSourcePOS that corrects the handling of the currency_symbol field
  • Restrict write access to the currency_symbol configuration to trusted administrators only, preventing untrusted users from altering the value
  • Implement input validation or sanitize the currency_symbol value before storing or using it in any SQL query to block injection attempts

Generated by OpenCVE AI on April 18, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Title Second‑Order SQL Injection in OpenSourcePOS 3.4.1 Currency Symbol Setting

Tue, 24 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos open Source Point Of Sale
CPEs cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1:*:*:*:*:*:*:*
Vendors & Products Opensourcepos open Source Point Of Sale

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos
Opensourcepos opensourcepos
Vendors & Products Opensourcepos
Opensourcepos opensourcepos

Fri, 20 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.
References

Subscriptions

Opensourcepos Open Source Point Of Sale Opensourcepos
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-23T20:22:06.979Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26745

cve-icon Vulnrichment

Updated: 2026-02-23T20:21:47.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:55.807

Modified: 2026-02-24T20:45:24.933

Link: CVE-2026-26745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses