CVE-2026-26746 - Vulnerability Details

- Local File Inclusion Leading to Remote Code Execution in OpenSourcePOS 3.4.1

Description

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

Published: 2026-02-20

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenSourcePOS version 3.4.1 contains a Local File Inclusion vulnerability in the Sales.php::getInvoice() function, which allows an attacker to read arbitrary files on the web server by manipulating the Invoice Type configuration. The vulnerability is a direct file inclusion flaw (CWE-434) and can be chained with the existing file upload functionality to achieve remote code execution. The impact extends beyond the web server to potentially allow full compromise of the application and underlying hosting environment.

Affected Systems

OpenSourcePOS, open_source_point_of_sale, version 3.4.1. No additional vendor or product variants are listed in the CNA data. The vulnerability is present in this specific release only.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack path involves an attacker with web access who can influence the Invoice Type configuration, followed by exploitation of the file upload capability to achieve code execution. The risk is significant if the system is publicly exposed and the vulnerable configuration is accessible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opensourcepos

95%

Version	Status	Scheme	Platform
`3.4.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenSourcePOS to a version that fixes the LFI
Restrict or secure the Invoice Type configuration so that only authorized administrators can modify it
Disable or harden the file upload feature to prevent exploitation chaining

Generated by OpenCVE AI on April 18, 2026 at 11:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0029.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md
https://github.com/opensourcepos/opensourcepos

History

Sat, 18 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
Title		Local File Inclusion Leading to Remote Code Execution in OpenSourcePOS 3.4.1

Tue, 24 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opensourcepos open Source Point Of Sale
CPEs		cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1:::::::*
Vendors & Products		Opensourcepos open Source Point Of Sale

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-434
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opensourcepos Opensourcepos opensourcepos
Vendors & Products		Opensourcepos Opensourcepos opensourcepos

Fri, 20 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
References		https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md https://github.com/opensourcepos/opensourcepos

Subscriptions

Opensourcepos Open Source Point Of Sale Opensourcepos

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-20T00:00:00.000Z

Updated: 2026-02-23T20:12:05.206Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26746

Vulnrichment

Updated: 2026-02-23T20:11:02.756Z

NVD

Status : Analyzed

Published: 2026-02-20T17:25:55.920

Modified: 2026-02-24T20:42:28.327

Link: CVE-2026-26746

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object