Description
A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
Published: 2026-05-18
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The login component of opensourcepos Open Source Point of Sale stores employee passwords using a weak hashing algorithm. When an attacker obtains the hashed password, the weak hash makes offline cracking feasible, allowing the attacker to compromise employee credentials and gain unauthorized access to the point‑of‑sale system. The vulnerability is exploitable remotely; however the attack requires some expertise and is considered difficult to execute.

Affected Systems

The flaw exists in opensourcepos Open Source Point of Sale versions up to and including 3.4.2. Any installation of these versions that uses the default employee login process is potentially affected, regardless of vendor or host environment.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, while the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Remote exploitation is possible but has a high complexity and is difficult, and the very existence of the vulnerability is currently in question. Still, an attacker could target the weak hashing mechanism to acquire usable credentials if the system is not upgraded or otherwise mitigated.

Generated by OpenCVE AI on May 18, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open Source Point of Sale to a version newer than 3.4.2 where the employee password hash has been replaced with a modern, cryptographically strong algorithm.
  • If an immediate upgrade is not possible, enforce a password reset for all employee accounts to trigger migration to a stronger hash during the next successful login.
  • Implement monitoring of failed login attempts and enforce account lockout policies to reduce the risk of brute‑force attacks against weakly hashed passwords.

Generated by OpenCVE AI on May 18, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 12:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
Title opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash
First Time appeared Opensourcepos
Opensourcepos open Source Point Of Sale
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
Vendors & Products Opensourcepos
Opensourcepos open Source Point Of Sale
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Opensourcepos Open Source Point Of Sale
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-18T11:30:08.931Z

Reserved: 2026-05-18T04:37:54.529Z

Link: CVE-2026-8803

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T12:16:17.093

Modified: 2026-05-18T12:16:17.093

Link: CVE-2026-8803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T13:30:06Z

Weaknesses