CVE-2026-8802 MEDIUM

CVE-2026-8802: opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

Vendor Opensourcepos

Product Open Source Point of Sale

Weakness CWE-22 · Path traversal

Published May 18, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X

What the vulnerability does

Description

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

Key dates

Disclosure timeline

May 18, 2026 CVE published

May 18, 2026 Record updated

Identifiers

CVE CVE-2026-8802

CWE CWE-22

CVSS 5.3 / MEDIUM

Affected versions

Vendor Opensourcepos

Product Open Source Point of Sale

Affected 3.4.0

Vendor Opensourcepos

Product Open Source Point of Sale

Affected 3.4.1

Vendor Opensourcepos

Product Open Source Point of Sale

Affected 3.4.2