CVE-2026-8802 | opensourcepos Open Source Point of Sale up to 3.4.2 Items.php getPicThumb pic_filename path traversal (GHSA-xq63-3v4g-39r5)

Inserito da Angelo Barbosa | Mag 18, 2026 | CVE

A vulnerability classified as critical was found in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal.

This vulnerability is cataloged as CVE-2026-8802. The attack may be launched remotely. There is no exploit available.

A patch should be applied to remediate this issue.

The vendor was contacted early about this disclosure.

CVE-2026-8802 | opensourcepos Open Source Point of Sale up to 3.4.2 Items.php getPicThumb pic_filename path traversal (GHSA-xq63-3v4g-39r5)

Post correlati

CVE-2024-54763 | ipTIME A2004 12.17.0 /login/hostinfo.cgi information disclosure

CVE-2025-6546 | Drive Folder Embedder Plugin up to 1.1.0 on WordPress tablecssclass cross site scripting

CVE-2024-2889 | WP Lab WP-Lister Lite for Amazon Plugin up to 2.6.11 on WordPress cross site scripting

CVE-2021-46931 | Linux Kernel up to 5.10.89/5.15.12 mlx5e mlx5e_tx_reporter_dump_sq Privilege Escalation (73665165b64a/07f13d58a8ec/918fc3855a65)