CVE-2026-26746 identifies a Local File Inclusion (LFI) vulnerability in OpenSourcePOS version 3.4.1, specifically in the Sales.php::getInvoice() function. The vulnerability arises because the Invoice Type configuration parameter is insufficiently sanitized, allowing an attacker to manipulate it to include arbitrary files from the web server’s filesystem. This can lead to unauthorized disclosure of sensitive files such as configuration files, credentials, or source code. More critically, this LFI can be chained with the application’s file upload feature, which presumably allows uploading files to the server, to achieve Remote Code Execution (RCE). By uploading a malicious payload and then including it via the LFI, an attacker can execute arbitrary code on the server, potentially gaining full control over the system. Although no CVSS score has been assigned yet and no known exploits are reported in the wild, the vulnerability is publicly disclosed and classified as published. The lack of patch links suggests that a fix may not yet be available or widely distributed. The vulnerability affects OpenSourcePOS 3.4.1, an open-source point-of-sale system used by various retail and service organizations. The attack requires the ability to manipulate the Invoice Type configuration, which may or may not require authentication depending on the deployment. The chaining with file upload functionality increases the attack complexity but also the impact, as it enables full system compromise.

The impact of CVE-2026-26746 is significant for organizations using OpenSourcePOS 3.4.1, especially those in retail and service sectors relying on this software for sales and invoicing. Successful exploitation can lead to unauthorized disclosure of sensitive files, including credentials and configuration data, which can facilitate further attacks. The ability to chain the LFI with file upload functionality to achieve RCE raises the risk to full system compromise, allowing attackers to execute arbitrary commands, install malware, or pivot within the network. This can result in data breaches, financial fraud, disruption of sales operations, and damage to organizational reputation. Since point-of-sale systems often handle payment card data, exploitation could also lead to compliance violations and regulatory penalties. The absence of known exploits in the wild suggests limited current exposure, but the public disclosure increases the risk of future exploitation. Organizations worldwide using this version of OpenSourcePOS are vulnerable until mitigations or patches are applied.

To mitigate CVE-2026-26746, organizations should first verify if they are running OpenSourcePOS version 3.4.1 and assess exposure of the Sales.php::getInvoice() function. Immediate steps include restricting access to the Invoice Type configuration parameter to trusted administrators only, ensuring it cannot be manipulated by unauthenticated or low-privilege users. Input validation and sanitization should be implemented to prevent inclusion of arbitrary files. If possible, disable or tightly control the file upload functionality to prevent uploading of malicious payloads. Monitoring and logging access to invoicing functions and file uploads can help detect exploitation attempts. Organizations should seek updates or patches from the OpenSourcePOS maintainers and apply them promptly once available. As a temporary workaround, web application firewalls (WAFs) can be configured to block suspicious requests targeting the vulnerable parameter. Regular security assessments and penetration testing focused on file inclusion and upload features are recommended to identify residual risks.