Local File Inclusion Vulnerability in OpenSourcePOS by OpenSourcePOS
CVE-2026-26746

8.8HIGH

Key Information:

Vendor: OpenSourcePOS
Status: OpenSourcePOS
Vendor: CVE Published:; 20 February 2026

🔔 Create OpenSourcePOS Vulnerability Alert

What is CVE-2026-26746?

OpenSourcePOS version 3.4.1 is susceptible to a Local File Inclusion (LFI) vulnerability within the Sales.php::getInvoice() function. By manipulating the Invoice Type configuration, an attacker can gain unauthorized access to arbitrary files on the web server. This vulnerability may lead to serious security breaches, as it can be exploited in conjunction with file upload features, potentially allowing for Remote Code Execution (RCE) and further compromise of the system.

References

https://github.com/opensourcepos/opensourcepos

https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26746 Data

JSON