Description
A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the File Extension Handler at /admin/addproduct.php of SourceCodester Simple POS and Inventory System 1.0 allows an attacker to manipulate the image argument to upload arbitrary files without restriction. The remote nature of the upload function means this vulnerability can be exploited from outside the system. If the uploaded files can be executed on the server (for example, script files), the attacker could gain control of the application or the underlying server.

Affected Systems

Only the SourceCodester Simple POS and Inventory System version 1.0 is affected. No other versions or components are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS is not available, but the existence of a published exploit demonstrates that the vulnerability is usable. The vulnerability is not listed in CISA KEV. Attack vectors are remote, through the web interface that accepts image uploads, making the flaw a realistic threat for deployments that expose this endpoint.

Generated by OpenCVE AI on May 25, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or update from SourceCodester that addresses the unrestricted upload issue in addproduct.php.
  • Configure the application to accept only specific image MIME types (e.g., image/jpeg, image/png) and perform strict file extension validation on the server side.
  • Move the upload directory outside of the web‑root or set it to a non‑executable location and adjust file permissions so that uploaded files cannot be run as scripts.
  • Deploy a WAF rule or equivalent input filtering to block or sanitize arbitrary file uploads if the vendor update is not yet available.

Generated by OpenCVE AI on May 25, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 09:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title SourceCodester Simple POS and Inventory System File Extension addproduct.php unrestricted upload
First Time appeared Sourcecodester
Sourcecodester simple Pos And Inventory System
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:sourcecodester:simple_pos_and_inventory_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester simple Pos And Inventory System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Simple Pos And Inventory System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T09:15:09.554Z

Reserved: 2026-05-24T07:44:56.136Z

Link: CVE-2026-9445

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:32:58Z

Weaknesses