CVE-2026-26746

HIGH

OpenSourcePOS 3.4.1 - Local File Inclusion and Remote Code Execution via Invoice Type Manipulation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-26746. PoCs published by XiaomingX, hungnqdz.

AI-analyzed exploit summary This is a detailed technical writeup for CVE-2026-26746, explaining an LFI vulnerability in OpenSourcePOS 3.4.1 that can be escalated to RCE via malicious file uploads. It includes code analysis, PoC steps, and remediation advice.

Description

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

Exploits (2)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26746

View Code ZIP pw:eip

This is a detailed technical writeup for CVE-2026-26746, explaining an LFI vulnerability in OpenSourcePOS 3.4.1 that can be escalated to RCE via malicious file uploads. It includes code analysis, PoC steps, and remediation advice.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenSourcePOS 3.4.1

Auth required

Prerequisites: authenticated access · ability to upload files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP

by hungnqdz · poc

https://github.com/hungnqdz/CVE-2026-26746

View Code ZIP pw:eip

This repository contains a detailed technical analysis of CVE-2026-26746, a Local File Inclusion (LFI) vulnerability in OpenSourcePOS 3.4.1 that can be escalated to Remote Code Execution (RCE). The writeup includes a root cause analysis, proof-of-concept steps, and remediation recommendations.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenSourcePOS 3.4.1

Auth required

Prerequisites: Authenticated access to the OpenSourcePOS application · Ability to upload files (e.g., company logo) · Configuration access to modify the 'invoice_type' setting

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1200 - Hardware Additions T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md

View Exploit ZIP pw:eip

Various Sources

https://github.com/opensourcepos/opensourcepos

Scores

CVSS v3 8.8

EPSS 0.0057

EPSS Percentile 42.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

opensourcepos/open_source_point_of_sale 3.4.1

Published Feb 20, 2026

Tracked Since Feb 21, 2026