CVE-2026-26745

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26745

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26745.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26745

Published

2026-02-20T17:25:55.807Z

Modified

2026-02-26T01:23:59.942018Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currencysymbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currencysymbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.

References

Affected packages

Git / github.com/opensourcepos/opensourcepos

Affected ranges

Type: GIT
Repo: https://github.com/opensourcepos/opensourcepos
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

5f395d987b02562092b838073cb2e23a22d2bca4

Affected versions

2.*

2.3.1

2.3.2

2.3.3

2.3.4

2.4.0

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.4.0

3.4.1

master.*

master.3.3.5

master.3.3.6

master.3.4.0-dev

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26745.json"