Cyber Resilience

CVE-2025-70093

HighPublic PoCRCE

Published: 13 February 2026

Published
13 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0009 24.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70093 is a high-severity Command Injection (CWE-77) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-70093, published on 2026-02-13, is a vulnerability in OpenSourcePOS version 3.4.1 that enables attackers to execute arbitrary code by returning a crafted AJAX response. The issue is classified under CWE-77 and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to significant impacts on confidentiality and integrity.

Unauthenticated remote attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation allows arbitrary code execution on the affected system, potentially leading to unauthorized access, data manipulation, or further compromise without disrupting availability.

Advisories and patches are referenced in a research writeup at https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70093.md, a fix via pull request #4357 at https://github.com/opensourcepos/opensourcepos/pull/4357, and the project site at https://www.opensourcepos.org, where practitioners should check for updates and apply mitigations accordingly.

EU & UK References

Vulnerability details

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct RCE via crafted AJAX response in public-facing web app (CWE-77 command injection) maps to initial access via public app exploitation and command/script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26746Same product: Opensourcepos Open Source Point Of Sale
CVE-2025-68434Same product: Opensourcepos Open Source Point Of Sale
CVE-2026-32888Same product: Opensourcepos Open Source Point Of Sale
CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-0593Shared CWE-77

Affected Assets

opensourcepos
open source point of sale
3.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all untrusted data—including AJAX responses—before processing or execution, blocking the crafted response that triggers arbitrary code (CWE-77).

preventdetect

Mandates mechanisms to detect and block malicious code delivered via network responses before it can be executed on the OpenSourcePOS system.

SC-18 Mobile Code partial match
prevent

Restricts acceptance and execution of mobile code (e.g., scripts or dynamic content in AJAX responses) from untrusted sources, limiting the attack vector used in this CVE.

References