CVE-2025-70094 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-70094?

CVE-2025-70094 has a CVSS score of 6.5 (MEDIUM). This cross-site scripting (XSS) vulnerability in OpenSourcePOS allows attackers to inject malicious scripts into the Item Category parameter during barcode generation. When exploited, it enables execution of arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. All users of OpenSourcePOS v3.4.1 with the Generate Item Barcode function enabled are affected.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in OpenSourcePOS allows attackers to inject malicious scripts into the Item Category parameter during barcode generation. When exploited, it enables execution of arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. All users of OpenSourcePOS v3.4.1 with the Generate Item Barcode function enabled are affected.

💻 Affected Systems

Products:

OpenSourcePOS

Versions: v3.4.1

Operating Systems: All platforms running OpenSourcePOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation when using the Generate Item Barcode function. No special configuration required for exploitation.

📦 What is this software?

Open Source Point Of Sale by Opensourcepos

View all CVEs affecting Open Source Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full control of the POS system, manipulate transactions, or exfiltrate sensitive customer payment data.

🟠

Likely Case

Attackers could perform session hijacking, redirect users to malicious sites, or deface the application interface with injected content.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be neutralized, preventing script execution while maintaining barcode functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to the barcode generation interface, which typically requires some level of authentication. The vulnerability is in the web interface component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after pull request #4357 is merged

Vendor Advisory: https://github.com/opensourcepos/opensourcepos/pull/4357

Restart Required: No

Instructions:

1. Update OpenSourcePOS to the latest version that includes the fix from pull request #4357. 2. Apply the patch that adds proper input validation and output encoding for the Item Category parameter. 3. Verify the fix by testing barcode generation with various inputs.

🔧 Temporary Workarounds

Disable Barcode Generation

all

Temporarily disable the Generate Item Barcode function to prevent exploitation while waiting for patch

Modify application configuration to remove or disable barcode generation functionality

Input Validation Filter

all

Implement server-side input validation to reject malicious payloads in Item Category parameter

Add input sanitization in the barcode generation controller to strip or escape HTML/JavaScript characters

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads
Restrict access to the barcode generation function to trusted users only using role-based access controls

🔍 How to Verify

Check if Vulnerable:

Test the Generate Item Barcode function by entering a test payload like <script>alert('XSS')</script> in the Item Category field and check if script executes

Check Version:

Check the OpenSourcePOS version in the application's about page or configuration files

Verify Fix Applied:

After patching, repeat the test with the same payload and verify no script execution occurs and input is properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual characters or script tags in Item Category parameter logs
Multiple failed barcode generation attempts with special characters

Network Indicators:

HTTP requests containing script tags or JavaScript in Item Category parameter
Unusual outbound connections from the POS system after barcode generation

SIEM Query:

source="opensourcepos_logs" AND (ItemCategory CONTAINS "<script>" OR ItemCategory CONTAINS "javascript:" OR ItemCategory CONTAINS "onerror=" OR ItemCategory CONTAINS "onload=")

📊 Metadata

CVE ID: CVE-2025-70094

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: February 13, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70094.md Exploit,Mitigation,Third Party Advisory
https://github.com/opensourcepos/opensourcepos/pull/4357 Issue Tracking
https://www.opensourcepos.org Product
https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70094.md Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70094, you might also want to check these: