opensourcepos Open Source Point of Sale up to 3.4.2 Employees Interface stock_location cross site scripting
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.4 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic was found in opensourcepos Open Source Point of Sale up to 3.4.2. The affected element is an unknown function of the component Employees Interface. Such manipulation of the argument stock_location leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-39380. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.
Details
A vulnerability was found in opensourcepos Open Source Point of Sale up to 3.4.2. It has been rated as problematic. Affected by this issue is an unknown function of the component Employees Interface. The manipulation of the argument stock_location with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. CVE summarizes:
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3.
The advisory is available at github.com. This vulnerability is handled as CVE-2026-39380 since 04/07/2026. The exploitation is known to be easy. The attack may be launched remotely. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project.
Upgrading to version 3.4.3 eliminates this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.4VulDB Meta Temp Score: 4.4
VulDB Base Score: 3.5
VulDB Temp Score: 3.4
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 5.4
CNA Vector (GitHub_M): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-79 / CWE-94 / CWE-74
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Open Source Point of Sale 3.4.3
Timeline
04/07/2026 Advisory disclosed04/07/2026 CVE reserved
04/07/2026 VulDB entry created
04/07/2026 VulDB entry last update
Sources
Advisory: GHSA-7hg5-68rx-xpmgStatus: Confirmed
CVE: CVE-2026-39380 (🔒)
GCVE (CVE): GCVE-0-2026-39380
GCVE (VulDB): GCVE-100-355922
Entry
Created: 04/07/2026 23:24Changes: 04/07/2026 23:24 (66)
Complete: 🔍
Cache ID: 216:EBC:103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.