CVE-2025-68658 MEDIUM

CVE-2025-68658: Open Source Point of Sale (opensourcepos) Stored XSS in Configuration (Information) – Company Name field

Vendor Opensourcepos
Product opensourcepos
Weakness CWE-79 · XSS
Published January 13, 2026
Last update January 14, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user’s browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
January 14, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12280 code-projects Client Details System update-clients.php cross site scripting CVE-2021-25083 Registrations for the Events Calendar < 2.7.10 - Reflected Cross-Site Scripting CVE-2025-23865 WordPress Winning Portfolio plugin <= 1.1 - Stored Cross Site Scripting (XSS) vulnerability CVE-2022-1980 SourceCodester Product Show Room Site cross site scripting CVE-2025-6382 Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute