Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3.
References
| Link | Resource |
|---|---|
| https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg | Exploit Vendor Advisory |
| https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg | Exploit Vendor Advisory |
Configurations
History
24 Apr 2026, 17:51
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg - Exploit, Vendor Advisory | |
| First Time |
Opensourcepos
Opensourcepos open Source Point Of Sale |
|
| CPE | cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:* |
08 Apr 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg - |
07 Apr 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-07 20:16
Updated : 2026-04-24 17:51
NVD link : CVE-2026-39380
Mitre link : CVE-2026-39380
CVE.ORG link : CVE-2026-39380
JSON object : View
Products Affected
opensourcepos
- open_source_point_of_sale
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')