opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X

Description

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

Basic Information

ID CVE-2026-8802

Source VulDB

Published May 18, 2026 at 10:00

Affected Product

Vendor opensourcepos

Product Open Source Point of Sale

Version 3.4.0

Affected Versions opensourcepos Open Source Point of Sale 3.4.0
opensourcepos Open Source Point of Sale 3.4.1
opensourcepos Open Source Point of Sale 3.4.2

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.",
    "published": "2026-05-18T10:00:14.027Z",
    "modified": "2026-05-18T10:00:14.027Z",
    "type": "cve",
    "title": "opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/364435\nhttps://vuldb.com/vuln/364435/cti\nhttps://vuldb.com/submit/802559\nhttps://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5\nhttps://github.com/opensourcepos/opensourcepos/pull/4545\nhttps://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323",
    "id": "CVE-2026-8802",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "opensourcepos Open Source Point of Sale 3.4.0\nopensourcepos Open Source Point of Sale 3.4.1\nopensourcepos Open Source Point of Sale 3.4.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Open Source Point of Sale",
    "version": "3.4.0",
    "vendor": "opensourcepos",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal_CVE-2026-8802