Description
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3.
Published: 2026-04-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: A stored cross‑site scripting vulnerability allows attackers to inject and execute arbitrary JavaScript in the browser of any user who views the Daily Sales page.
Action: Immediate Patch
AI Analysis

Impact

Open Source Point of Sale contains a stored XSS flaw in the customer_name column of the Daily Sales management table. The column is rendered without escaping, so an attacker who has customer‑management privileges can insert JavaScript into a customer's first or last name. When any user opens the Daily Sales page, the malicious script runs in that user’s browser, enabling actions such as session hijacking, data theft, or page defacement. The vulnerability is client‑side only; it does not provide direct server‑side code execution.

Affected Systems

The affected product is Open Source Point of Sale from the opensourcepos vendor. Versions older than 3.4.3 contain the flaw; the issue was fixed in release 3.4.3 and later.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to possess customer‑management permissions, which implies a privileged or compromised account. Once the conditions are met, the attack can execute arbitrary client‑side scripts, but it does not allow direct compromise of the server or other users’ accounts beyond the vulnerable session.

Generated by OpenCVE AI on April 14, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch to upgrade to version 3.4.3 or later.
  • If upgrading immediately is not possible, restrict customer‑management permissions to trusted users only or temporarily disable modification of customer name fields.
  • Modify the bootstrap‑table configuration to enable output escaping for the customer_name column so that all input is rendered safely.
  • Monitor the application logs for attempts to inject script payloads and investigate any suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos open Source Point Of Sale
CPEs cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
Vendors & Products Opensourcepos open Source Point Of Sale

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos
Opensourcepos opensourcepos
Vendors & Products Opensourcepos
Opensourcepos opensourcepos

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3.
Title Open Source Point of Sale has Stored XSS in Customer Name (Sales)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Opensourcepos Open Source Point Of Sale Opensourcepos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:32:34.191Z

Reserved: 2026-03-13T14:33:42.824Z

Link: CVE-2026-32712

cve-icon Vulnrichment

Updated: 2026-04-08T14:32:29.151Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T21:17:16.430

Modified: 2026-04-14T18:45:18.430

Link: CVE-2026-32712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses