CVE-2025-67263

MEDIUM

Abacre Retail Point of Sale 14.0.0.396 - Stored Cross-Site Scripting in Clients Module Name and Surname Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-67263. PoCs published by Smarttfoxx.

AI-analyzed exploit summary This repository documents a stored XSS vulnerability in Abacre Retail Point of Sale 14.0.0.396, where the Name and Surname fields in the Clients module fail to sanitize user input, allowing script execution when the 'Statement' button is clicked.

Description

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database.

Exploits (1)

nomisec WRITEUP 1 stars
by Smarttfoxx · poc
https://github.com/Smarttfoxx/CVE-2025-67263

This repository documents a stored XSS vulnerability in Abacre Retail Point of Sale 14.0.0.396, where the Name and Surname fields in the Clients module fail to sanitize user input, allowing script execution when the 'Statement' button is clicked.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Abacre Retail Point of Sale 14.0.0.396
Auth required
Prerequisites: Access to the Clients module · Ability to save malicious input in the Name/Surname fields
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0017
EPSS Percentile 6.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
abacre/retail_point_of_sale 14.0.0.396
Published Jan 20, 2026
Tracked Since Feb 18, 2026