CVE-2026-26745 is a second order SQL Injection vulnerability affecting OpenSourcePOS version 3.4.1. The vulnerability stems from the handling of the currency_symbol configuration field. When an attacker with the ability to modify this field inputs malicious SQL code, the input is initially stored as-is without immediate execution. However, this stored input is later concatenated directly into a dynamically constructed SQL query without proper sanitization or the use of parameterized queries. This delayed execution characteristic defines it as a second order SQL Injection. The vulnerability allows an attacker to inject arbitrary SQL expressions that execute when the affected query runs, potentially exposing sensitive data from the database. The CVSS v3.1 score is 5.3, indicating medium severity, with the vector indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No patches or known exploits are currently available. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The primary impact of this vulnerability is on the confidentiality of data stored within the OpenSourcePOS database. An attacker exploiting this flaw can execute arbitrary SQL queries, potentially extracting sensitive information such as customer data, transaction records, or configuration details. Since the vulnerability does not affect data integrity or availability, the risk of data tampering or service disruption is low. However, unauthorized data disclosure can lead to privacy violations, regulatory non-compliance, and reputational damage. The requirement for low privileges to modify the currency_symbol field means that insider threats or compromised accounts with limited access could exploit this vulnerability. The lack of known exploits reduces immediate risk, but the presence of this flaw in a point-of-sale system used globally in retail environments means the potential impact is significant if exploited.

To mitigate this vulnerability, organizations should immediately restrict access to the currency_symbol configuration field to only highly trusted administrators. Implement strict access controls and audit logging around configuration changes. Until an official patch is released, consider implementing input validation or sanitization on the currency_symbol field to reject any suspicious characters or SQL syntax. Employ database activity monitoring to detect anomalous queries that may indicate exploitation attempts. Review and harden database user permissions to minimize the impact of any injected SQL commands. Additionally, organizations should plan to apply vendor patches promptly once available. As a longer-term measure, refactor the application code to use parameterized queries or prepared statements for all database interactions involving user-controllable inputs, eliminating SQL Injection risks.