HTML Injection Vulnerability in PHP Point of Sale by PHPPoint
CVE-2025-41011

5.1MEDIUM

Key Information:

Vendor: PHP Point Of Sale
Status: PHP Point Of Sale
Vendor: CVE Published:; 21 April 2026

🔔 Create PHP Point Of Sale Vulnerability Alert

What is CVE-2025-41011?

An HTML injection vulnerability in PHP Point of Sale v19.4 enables attackers to exploit inadequate input validation. By manipulating requests to '/reports/generate/specific_customer' with the 'start_date_formatted' and 'end_date_formatted' parameters, malicious users can inject arbitrary HTML into the victim's browser. This flaw poses significant risks by potentially exposing sensitive information and compromising the integrity of user sessions.

Affected Version(s)

PHP Point Of Sale 19.4

References

https://www.incibe.es/en/incibe-cert/notices/aviso/html-i...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Gonzalo Aguilar García (6h4ack)

CVE-2025-41011 Data

JSON