CVE-2026-26746 – OpenSourcePOS 3.4.1 contains a Local File Inclu... (How to Fix)

Q: What is the severity of CVE-2026-26746?

CVE-2026-26746 has a CVSS score of 8.8 (HIGH). OpenSourcePOS 3.4.1 contains a Local File Inclusion vulnerability that allows attackers to read arbitrary files on the web server by manipulating invoice type settings. This can be combined with file upload functionality to achieve remote code execution. All users running OpenSourcePOS 3.4.1 are affected.

📋 TL;DR

OpenSourcePOS 3.4.1 contains a Local File Inclusion vulnerability that allows attackers to read arbitrary files on the web server by manipulating invoice type settings. This can be combined with file upload functionality to achieve remote code execution. All users running OpenSourcePOS 3.4.1 are affected.

💻 Affected Systems

Products:

OpenSourcePOS

Versions: 3.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the sales interface; file upload functionality must be enabled for RCE chain.

📦 What is this software?

Open Source Point Of Sale by Opensourcepos

View all CVEs affecting Open Source Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing data theft, malware deployment, and complete system control.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials, source code) leading to further attacks.

🟢

If Mitigated

Limited impact if proper file permissions and input validation are in place, though information disclosure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires some level of access to manipulate invoice settings; RCE requires chaining with file upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/opensourcepos/opensourcepos

Restart Required: No

Instructions:

1. Monitor official OpenSourcePOS repository for updates. 2. Apply patch when available. 3. Test in development environment before production.

🔧 Temporary Workarounds

Disable file upload functionality

all

Prevents chaining LFI with file upload to achieve RCE

Restrict file permissions

linux

Set strict file permissions on web server directories

chmod 640 /path/to/opensourcepos/*
chown www-data:www-data /path/to/opensourcepos/

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block LFI patterns
Restrict network access to OpenSourcePOS interface to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if running OpenSourcePOS version 3.4.1; test by attempting to access local files through invoice type parameter.

Check Version:

Check application/controllers/Sales.php for version references or check admin panel

Verify Fix Applied:

Verify version is updated beyond 3.4.1; test LFI attempts return errors instead of file contents.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Requests with ../ sequences or file path manipulations

Network Indicators:

HTTP requests with suspicious file path parameters in invoice-related endpoints

SIEM Query:

web_access_logs | where url contains "Sales.php" and (url contains "../" or url contains "file=" or url contains "path=")

📊 Metadata

CVE ID: CVE-2026-26746

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 20, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md Exploit,Mitigation,Third Party Advisory
https://github.com/opensourcepos/opensourcepos Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26746, you might also want to check these: