CVE-2025-67261

MEDIUM

Abacre Retail Point of Sale 14.0.0.396 - Blind SQL Injection via Orders Search Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-67261. PoCs published by Smarttfoxx.

AI-analyzed exploit summary This repository provides a detailed writeup and proof-of-concept for a content-based blind SQL injection vulnerability in Abacre Retail Point of Sale 14.0.0.396. The vulnerability is demonstrated through specific SQL payloads that confirm the existence of tables and data within the Firebird database.

Description

Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page.

Exploits (1)

nomisec WRITEUP 1 stars

by Smarttfoxx · poc

https://github.com/Smarttfoxx/CVE-2025-67261

View Code ZIP pw:eip

This repository provides a detailed writeup and proof-of-concept for a content-based blind SQL injection vulnerability in Abacre Retail Point of Sale 14.0.0.396. The vulnerability is demonstrated through specific SQL payloads that confirm the existence of tables and data within the Firebird database.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Abacre Retail Point of Sale 14.0.0.396

No auth needed

Prerequisites: Access to the Orders page Search function

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory

https://packetstorm.news/files/id/214046/

Product

https://www.abacre.com/retailpointofsale/

Scores

CVSS v3 6.5

EPSS 0.0018

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

abacre/retail_point_of_sale 14.0.0.396

Published Jan 20, 2026

Tracked Since Feb 18, 2026