Description
A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A vulnerability exists in the Environment Variable Handler component of Campcodes Complete POS Management and Inventory System, specifically affecting an undisclosed function in app/Http/Controllers/SettingsController.php. The flaw permits injection of malicious input, which can lead to the execution of unintended commands or alteration of critical environment settings. Because injection occurs in code that manages system configuration, an attacker may compromise the integrity of the application or gain unauthorized access to the underlying operating system. The vulnerability is classed as an injection weakness (CWE-707 and CWE-74) and could compromise confidentiality, integrity, and availability of the POS environment.

Affected Systems

All installations of Campcodes Complete POS Management and Inventory System up to version 4.0.6 are impacted. The affected component is the SettingsController.php file within the Environment Variable Handler. Users of earlier versions are not affected.

Risk and Exploitability

The CVSS score for this issue is 5.3, reflecting moderate severity. An EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. However, the description states that exploitation can be performed remotely and that the exploit has been publicly disclosed. Likely attack vectors include sending crafted input to the SettingsController endpoint via an HTTP request, allowing unauthorized manipulation of environment variables or execution of injected code. Although the severity is moderate, the remote nature and public disclosure make it a significant risk worth addressing promptly.

Generated by OpenCVE AI on April 5, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Campcodes Complete POS Management and Inventory System to a version newer than 4.0.6 once available from the vendor.
  • If an upgrade is not immediately possible, restrict the input to the Environment Variable Handler to a whitelist of safe values or apply input sanitization to eliminate injection vectors.
  • Monitor the system for anomalous environment variable changes or unexpected command execution, and review logs for suspicious activity.
  • Coordinate with Campcodes support to obtain official patch or workaround details as they become available.

Generated by OpenCVE AI on April 5, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Campcodes
Campcodes complete Pos Management And Inventory System
Vendors & Products Campcodes
Campcodes complete Pos Management And Inventory System

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title Campcodes Complete POS Management and Inventory System Environment Variable SettingsController.php injection
Weaknesses CWE-707
CWE-74
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Campcodes Complete Pos Management And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T15:28:34.132Z

Reserved: 2026-04-04T14:02:58.664Z

Link: CVE-2026-5561

cve-icon Vulnrichment

Updated: 2026-04-06T15:28:29.966Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T11:16:56.790

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:52Z

Weaknesses