CVE-2025-66921 identifies a cross-site scripting (XSS) vulnerability in the Create/Update Item(s) module of Open Source Point of Sale (POS) version 3.4.1. The vulnerability arises because the 'name' parameter in this module does not properly sanitize user input, allowing remote attackers to inject arbitrary HTML or JavaScript code. When a victim, typically an authenticated user such as a cashier or administrator, views the affected page, the malicious script executes in their browser context. This can lead to session hijacking, theft of credentials, unauthorized actions, or redirection to malicious sites. The vulnerability is client-side but can have significant consequences for the confidentiality and integrity of the POS system and its data. No CVSS score has been assigned yet, and no public exploits are known. The lack of patch links suggests that a fix may not be available at the time of publication, requiring organizations to implement interim mitigations. The vulnerability affects version 3.4.1 of the software, which is an open-source POS solution commonly used by small to medium-sized retail and hospitality businesses. The attack vector is remote and does not require user interaction beyond viewing the malicious content, increasing the risk profile. The vulnerability was reserved and published in December 2025, indicating recent discovery.

For European organizations, especially those in retail and hospitality sectors using Open Source POS v3.4.1, this vulnerability poses a risk of unauthorized script execution within the POS management interface. This can lead to theft of sensitive customer payment data, manipulation of inventory or pricing data, and disruption of sales operations. The exploitation could result in reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. Since POS systems are critical for daily transactions, any compromise can affect availability and trust. The vulnerability's remote exploitation capability without user interaction increases the likelihood of attacks. European businesses relying on open-source POS solutions without robust input validation are particularly vulnerable. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future attacks. Organizations may also face compliance challenges if they fail to address this vulnerability promptly.

Organizations should immediately review and harden input validation and output encoding for the 'name' parameter in the Create/Update Item(s) module of Open Source POS. Implement Content Security Policy (CSP) headers to limit script execution sources. Monitor and restrict access to the POS management interface to trusted networks and authenticated users only. Regularly audit logs for suspicious activity related to item creation or updates. Since no official patch is currently available, consider applying community or vendor-provided patches as soon as they are released. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this parameter. Train staff to recognize phishing or social engineering attempts that could leverage this vulnerability. Plan for timely updates of the POS software once a patch is released to fully remediate the issue.