CVE-2026-8802: Path Traversal in opensourcepos Open Source Point of Sale
A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
AI Analysis
Technical Summary
CVE-2026-8802 is a path traversal vulnerability affecting opensourcepos Open Source Point of Sale versions 3.4.0 through 3.4.2. The vulnerability arises from insufficient validation of the pic_filename parameter in the getPicThumb function within app/Controllers/Items.php, allowing remote attackers to access files outside the intended directory. A patch has been identified (commit def0c27a0e252668df8d942fc31e16d1edfd7323) to fix this issue. The vulnerability does not require user interaction and has low complexity for exploitation.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the server by manipulating the pic_filename parameter. This could lead to unauthorized disclosure of sensitive information. The vulnerability is remotely exploitable without authentication and does not require user interaction. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch identified by commit def0c27a0e252668df8d942fc31e16d1edfd7323 is available and should be applied to affected versions 3.4.0 through 3.4.2 of opensourcepos Open Source Point of Sale. Since the vendor was contacted early and a patch exists, updating to the fixed version is the recommended remediation. Patch status is confirmed by the presence of the patch commit. No alternative mitigations are specified.
CVE-2026-8802: Path Traversal in opensourcepos Open Source Point of Sale
Description
A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8802 is a path traversal vulnerability affecting opensourcepos Open Source Point of Sale versions 3.4.0 through 3.4.2. The vulnerability arises from insufficient validation of the pic_filename parameter in the getPicThumb function within app/Controllers/Items.php, allowing remote attackers to access files outside the intended directory. A patch has been identified (commit def0c27a0e252668df8d942fc31e16d1edfd7323) to fix this issue. The vulnerability does not require user interaction and has low complexity for exploitation.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the server by manipulating the pic_filename parameter. This could lead to unauthorized disclosure of sensitive information. The vulnerability is remotely exploitable without authentication and does not require user interaction. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch identified by commit def0c27a0e252668df8d942fc31e16d1edfd7323 is available and should be applied to affected versions 3.4.0 through 3.4.2 of opensourcepos Open Source Point of Sale. Since the vendor was contacted early and a patch exists, updating to the fixed version is the recommended remediation. Patch status is confirmed by the presence of the patch commit. No alternative mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-18T04:37:48.556Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0aebb7ec166c07b0a5d6a5
Added to database: 5/18/2026, 10:36:39 AM
Last enriched: 5/18/2026, 10:51:41 AM
Last updated: 5/20/2026, 6:11:46 PM
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.