CVE-2026-5561

MEDIUM

Campcodes Complete POS Management and Inventory System Environment Variable SettingsController.php injection

Title source: cna

Description

A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

References (5)

[Vdb Entry] https://vuldb.com/vuln/355331

[Signature, Permissions Required] https://vuldb.com/vuln/355331/cti

[Third Party Advisory] https://vuldb.com/submit/782934

[Exploit] https://github.com/whatyourname12345/CVE/blob/main/POS/cve.md

View Exploit ZIP pw:eip

[Product] https://www.campcodes.com/

Scores

CVSS v3 6.3

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-707 CWE-74

Status published

Products (7)

Campcodes/Complete POS Management and Inventory System 4.0.0

Campcodes/Complete POS Management and Inventory System 4.0.1

Campcodes/Complete POS Management and Inventory System 4.0.2

Campcodes/Complete POS Management and Inventory System 4.0.3

Campcodes/Complete POS Management and Inventory System 4.0.4

Campcodes/Complete POS Management and Inventory System 4.0.5

Campcodes/Complete POS Management and Inventory System 4.0.6

Published Apr 05, 2026

Tracked Since Apr 05, 2026