CVE-2025-70095 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-70095?

CVE-2025-70095 has a CVSS score of 6.5 (MEDIUM). This cross-site scripting (XSS) vulnerability in OpenSourcePOS v3.4.1 allows attackers to inject malicious scripts into item management and sales invoice functions. When exploited, it enables execution of arbitrary web scripts or HTML in users' browsers. Any organization using the vulnerable version of OpenSourcePOS is affected.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in OpenSourcePOS v3.4.1 allows attackers to inject malicious scripts into item management and sales invoice functions. When exploited, it enables execution of arbitrary web scripts or HTML in users' browsers. Any organization using the vulnerable version of OpenSourcePOS is affected.

💻 Affected Systems

Products:

OpenSourcePOS

Versions: v3.4.1

Operating Systems: Any OS running OpenSourcePOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of OpenSourcePOS v3.4.1 with item management and sales invoice functions enabled are vulnerable.

📦 What is this software?

Open Source Point Of Sale by Opensourcepos

View all CVEs affecting Open Source Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, deface the application, or perform actions on behalf of authenticated users, potentially leading to data theft or financial fraud.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials, potentially gaining unauthorized access to the POS system and sensitive sales data.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to minor UI disruption without data compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to item management or sales invoice functions, typically requiring some level of authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub repository for latest version > v3.4.1

Vendor Advisory: https://github.com/opensourcepos/opensourcepos

Restart Required: No

Instructions:

1. Backup current installation and database. 2. Download latest OpenSourcePOS version from GitHub. 3. Replace vulnerable files with patched versions. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user inputs in item management and sales invoice functions.

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution sources.

🧯 If You Can't Patch

Disable or restrict access to item management and sales invoice functions for untrusted users.
Implement web application firewall (WAF) rules to block XSS payload patterns.

🔍 How to Verify

Check if Vulnerable:

Check if running OpenSourcePOS v3.4.1 by examining version files or admin interface.

Check Version:

Check version.php file or admin dashboard for version information.

Verify Fix Applied:

Test item management and sales invoice functions with XSS payloads to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual input patterns in item names or invoice fields containing script tags or JavaScript code

Network Indicators:

HTTP requests with suspicious parameters containing script elements

SIEM Query:

web_requests WHERE (uri CONTAINS 'item' OR uri CONTAINS 'invoice') AND (params CONTAINS '<script' OR params CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2025-70095

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.2th percentile)

Published: February 13, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70095.md Exploit,Mitigation,Third Party Advisory
https://github.com/opensourcepos/opensourcepos Product
https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70095.md Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70095, you might also want to check these: