ГлавнаяУязвимости → CVE-2026-26746
8.8высокая

CVE-2026-26746

Описание

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

Затрагиваемое ПО
Opensourcepos Open source point of sale
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.mdhttps://github.com/opensourcepos/opensourcepos