EIP-2026-112885

PRE-CVE

Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112885. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This is a proof-of-concept for a persistent XSS vulnerability in Ultimate POS 4.4, where the 'name' parameter in the product module is vulnerable to script injection. The exploit demonstrates how an attacker with vendor privileges can inject malicious JavaScript payloads via POST requests.

Description

Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)

Exploits (1)

exploitdb WORKING POC

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/50492

View Code ZIP pw:eip

This is a proof-of-concept for a persistent XSS vulnerability in Ultimate POS 4.4, where the 'name' parameter in the product module is vulnerable to script injection. The exploit demonstrates how an attacker with vendor privileges can inject malicious JavaScript payloads via POST requests.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Ultimate POS v4.4

Auth required

Prerequisites: Vendor privileges in Ultimate POS · Access to the product creation/edit functionality

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026