Stored XSS Vulnerability in Open Source Point of Sale by Open Source POS
CVE-2026-39380

5.4MEDIUM

Key Information:

Vendor: Opensourcepos
Status: Opensourcepos
Vendor: CVE Published:; 7 April 2026

🔔 Create Opensourcepos Vulnerability Alert

What is CVE-2026-39380?

Open Source Point of Sale, a web-based application built on the CodeIgniter framework, is susceptible to a stored cross-site scripting (XSS) vulnerability. This flaw exists in the Stock Locations configuration feature due to inadequate input sanitization of the stock_location parameter. When exploited, attackers can inject and store malicious JavaScript code in the application's database, which is then executed in the Employees interface when rendered. The issue affects versions prior to 3.4.3, and mitigation was implemented in the 3.4.3 update.

Affected Version(s)

opensourcepos < 3.4.3

References

https://github.com/opensourcepos/opensourcepos/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39380 Data

JSON