CVE-2026-26746

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26746

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26746.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26746

Published

2026-02-20T17:25:55.920Z

Modified

2026-02-26T01:24:00.001941Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

References

Affected packages

Git / github.com/opensourcepos/opensourcepos

Affected ranges

Type: GIT
Repo: https://github.com/opensourcepos/opensourcepos
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

5f395d987b02562092b838073cb2e23a22d2bca4

Affected versions

2.*

2.3.1

2.3.2

2.3.3

2.3.4

2.4.0

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.4.0

3.4.1

master.*

master.3.3.5

master.3.3.6

master.3.4.0-dev

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26746.json"