CVE-2026-8803

LOW

opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash

Title source: cna
STIX 2.1

Description

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."

References (3)

Core 3
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-364436 | opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash
https://vuldb.com/vuln/364436
Signature, Permissions Required signature permissions-required
VDB-364436 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/364436/cti
Third Party Advisory third-party-advisory
Submit #802561 | opensourcepos Open Source Point of Sale 3.4.1 Weak Encoding for Password
https://vuldb.com/submit/802561

Scores

CVSS v3 3.7
EPSS 0.0018
EPSS Percentile 7.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-327 CWE-328
Status published
Products (3)
opensourcepos/Open Source Point of Sale 3.4.0
opensourcepos/Open Source Point of Sale 3.4.1
opensourcepos/Open Source Point of Sale 3.4.2
Published May 18, 2026
Tracked Since May 18, 2026