hungnqdz

4 exploits Active since Feb 2026
CVE-2026-26746 GITHUB HIGH python WRITEUP
OpenSourcePOS 3.4.1 - Local File Inclusion and Remote Code Execution via Invoice Type Manipulation
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
10 stars
CVSS 8.8
CVE-2026-26746 NOMISEC HIGH WRITEUP
OpenSourcePOS 3.4.1 - Local File Inclusion and Remote Code Execution via Invoice Type Manipulation
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
CVSS 8.8
CVE-2025-70093 WRITEUP HIGH WRITEUP
OpenSourcePOS 3.4.1 - Remote Code Execution via Crafted AJAX Response
An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.
CVSS 7.4
CVE-2025-70094 WRITEUP MEDIUM WRITEUP
OpenSourcePOS 3.4.1 - Stored Cross-Site Scripting via Item Category Parameter
A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.
CVSS 6.5