CVE-2026-8802 - Vulnerability Details

- opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

Description

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

Published: 2026-05-18

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw exists in the getPicThumb function of the Items controller, where the pic_filename argument is improperly validated. An attacker can supply a crafted filename, causing the application to resolve directories outside its intended scope and potentially read any accessible file on the server. The issue is remotely exploitable and could disclose sensitive data, such as configuration files or stored credentials.

Affected Systems

The vulnerability affects Open Source Point of Sale, versions up to 3.4.2 provided by opensourcepos. A fix was issued in commit def0c27a0e252668df8d942fc31e16d1edfd7323 and should be applied to upgrade to a patched release.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote and requires no authentication; once the attacker delivers a request with a crafted pic_filename, they can read arbitrary files within the server’s accessible filesystem. Compliance with the CWE-22 weakness suggests that once applied, the risk is mitigated but residual exposure exists if the application is accessible to untrusted users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opensourcepos

Open Source Point of Sale

affected

Version	Status	Constraints
`3.4.0`	affected	—
`3.4.1`	affected	—
`3.4.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch identified by commit def0c27a0e252668df8d942fc31e16d1edfd7323 or upgrade to a version newer than 3.4.2
Restrict access to the Items controller or remove its remote availability to reduce the attack surface
Implement input validation for pic_filename to allow only filenames without directory separators and reject or normalize any traversal sequences

Generated by OpenCVE AI on May 18, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323
https://github.com/opensourcepos/opensourcepos/pull/4545
https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5
https://vuldb.com/submit/802559
https://vuldb.com/vuln/364435
https://vuldb.com/vuln/364435/cti

History

Mon, 18 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
Title		opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal
First Time appeared		Opensourcepos Opensourcepos open Source Point Of Sale
Weaknesses		CWE-22
CPEs		cpe:2.3:a:opensourcepos:open_source_point_of_sale::::::::
Vendors & Products		Opensourcepos Opensourcepos open Source Point Of Sale
References		https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323 https://github.com/opensourcepos/opensourcepos/pull/4545 https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5 https://vuldb.com/submit/802559 https://vuldb.com/vuln/364435 https://vuldb.com/vuln/364435/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Opensourcepos Open Source Point Of Sale

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-18T10:00:14.027Z

Updated: 2026-05-18T10:00:14.027Z

Reserved: 2026-05-18T04:37:48.556Z

Link: CVE-2026-8802

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-18T11:16:18.623

Modified: 2026-05-18T11:16:18.623

Link: CVE-2026-8802

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-18T11:30:24Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object