CVE-2026-26746

HIGH

OpenSourcePOS 3.4.1 - LFI

Title source: llm

Description

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

Exploits (2)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26746

View Code ZIP pw:eip

nomisec WRITEUP

by hungnqdz · poc

https://github.com/hungnqdz/CVE-2026-26746

View Code ZIP pw:eip

References (2)

[Various Sources] https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md

View Exploit ZIP pw:eip

[Various Sources] https://github.com/opensourcepos/opensourcepos

Scores

CVSS v3 8.8

EPSS 0.0029

EPSS Percentile 52.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

opensourcepos/open_source_point_of_sale 3.4.1

Published Feb 20, 2026

Tracked Since Feb 21, 2026