CVE-2026-26746

HighPublic PoC

Published: 20 February 2026

Published

20 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26746 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents LFI by validating and sanitizing the Invoice Type input parameter to block path traversal and arbitrary file reads.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in Sales.php::getInvoice() through timely patching or updates to eliminate the vulnerability.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict low-privileged users from reading arbitrary files, mitigating exploitation even if input flaws exist.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

LFI vulnerability in public-facing web application enables arbitrary file reads over the network with low privileges and can chain to RCE, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to…

achieve Remote Code Execution (RCE).

Deeper analysisAI

CVE-2026-26746 is a Local File Inclusion (LFI) vulnerability in OpenSourcePOS version 3.4.1, specifically within the Sales.php::getInvoice() function. By manipulating the Invoice Type configuration, an attacker can read arbitrary files on the affected web server. This issue, published on 2026-02-20, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-434.

The vulnerability can be exploited over the network by an attacker with low privileges, such as a logged-in user, requiring low complexity and no user interaction. Successful exploitation allows arbitrary file reads, and when chained with the application's file upload functionality, enables remote code execution (RCE) with high impacts on confidentiality, integrity, and availability.

Mitigation details and advisories are documented in the GitHub repository at https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md, while the OpenSourcePOS project repository at https://github.com/opensourcepos/opensourcepos may provide patches or updates.