hungnqdz

4 exploits Active since Feb 2026
CVE-2026-26746 GITHUB HIGH python WRITEUP
OpenSourcePOS 3.4.1 - LFI
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
10 stars
CVSS 8.8
CVE-2026-26746 NOMISEC HIGH WRITEUP
OpenSourcePOS 3.4.1 - LFI
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
CVSS 8.8
CVE-2025-70093 WRITEUP HIGH WRITEUP
OpenSourcePOS <3.4.1 - RCE
An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.
CVSS 7.4
CVE-2025-70094 WRITEUP MEDIUM WRITEUP
OpenSourcePOS v3.4.1 - XSS
A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.
CVSS 6.5