Description
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3.
Published: 2026-04-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in the Stock Locations configuration allows malicious JavaScript to be executed when the Employees interface renders data stored in the database, creating a risk of session hijacking or data exfiltration.
Action: Patch
AI Analysis

Impact

A vulnerability in earlier releases of Open Source Point of Sale permits the injection of arbitrary JavaScript code through the stock_location parameter. The input is stored in the database without proper sanitization and later rendered in the Employees view. An attacker who can submit such a payload can cause browsers of users who view the affected page to execute the script, potentially stealing session cookies or manipulating the interface.

Affected Systems

Any installation of Open Source Point of Sale older than version 3.4.3 is affected. The specific vendor is Open Source POS and the product is its web‑based point‑of‑sale application. The vulnerability manifests in the Stock Locations configuration screen, accessed through the web interface.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves authenticated access to the configuration interface, but if the application is exposed to unauthenticated users, remote exploitation is possible. Attackers could achieve script execution in the context of legitimate users, compromising confidentiality and integrity of sensitive data.

Generated by OpenCVE AI on April 7, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Open Source Point of Sale 3.4.3 or newer.

Generated by OpenCVE AI on April 7, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos
Opensourcepos opensourcepos
Vendors & Products Opensourcepos
Opensourcepos opensourcepos

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3.
Title Open Source Point of Sale has Stored XSS in Stock Location (Configuration)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Opensourcepos Opensourcepos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T15:49:45.758Z

Reserved: 2026-04-06T22:06:40.515Z

Link: CVE-2026-39380

cve-icon Vulnrichment

Updated: 2026-04-08T15:49:36.465Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:32.617

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-39380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:04Z

Weaknesses