Second Order SQL Injection in OpenSourcePOS by OpenSourcePOS
CVE-2026-26745

5.3MEDIUM

Key Information:

Vendor: OpenSourcePOS
Status: OpenSourcePOS
Vendor: CVE Published:; 20 February 2026

🔔 Create OpenSourcePOS Vulnerability Alert

What is CVE-2026-26745?

OpenSourcePOS version 3.4.1 contains a second order SQL Injection vulnerability stemming from improper handling of the currency_symbol configuration field. This vulnerability arises when user-modifiable input is stored without immediate execution, allowing an attacker to inject malicious SQL code. The improperly sanitized input is concatenated into a SQL query, making the system susceptible to arbitrary SQL execution. As a result, any user with access to modify the currency_symbol value could exploit this weakness to manipulate database queries when they are subsequently processed.

References

https://github.com/opensourcepos/opensourcepos

https://github.com/hungnqdz/cve-research/blob/main/CVE-20...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26745 Data

JSON