CVE-2025-70093
Published: 13 February 2026
Summary
CVE-2025-70093 is a high-severity Command Injection (CWE-77) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via crafted AJAX response in public-facing web app (CWE-77 command injection) maps to initial access via public app exploitation and command/script execution.
NVD Description
An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.
Deeper analysisAI
CVE-2025-70093, published on 2026-02-13, is a vulnerability in OpenSourcePOS version 3.4.1 that enables attackers to execute arbitrary code by returning a crafted AJAX response. The issue is classified under CWE-77 and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to significant impacts on confidentiality and integrity.
Unauthenticated remote attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation allows arbitrary code execution on the affected system, potentially leading to unauthorized access, data manipulation, or further compromise without disrupting availability.
Advisories and patches are referenced in a research writeup at https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70093.md, a fix via pull request #4357 at https://github.com/opensourcepos/opensourcepos/pull/4357, and the project site at https://www.opensourcepos.org, where practitioners should check for updates and apply mitigations accordingly.
Details
- CWE(s)