CVE-2026-39380 MEDIUM

CVE-2026-39380: Open Source Point of Sale has Stored XSS in Stock Location (Configuration)

Vendor Opensourcepos
Product opensourcepos
Weakness CWE-79 · XSS
Published April 7, 2026
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 8, 2026 Record updated