Cyber Resilience

CVE-2026-26746

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 43.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26746 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26746 is a Local File Inclusion (LFI) vulnerability in OpenSourcePOS version 3.4.1, specifically within the Sales.php::getInvoice() function. By manipulating the Invoice Type configuration, an attacker can read arbitrary files on the affected web server. This issue, published on 2026-02-20, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-434.

The vulnerability can be exploited over the network by an attacker with low privileges, such as a logged-in user, requiring low complexity and no user interaction. Successful exploitation allows arbitrary file reads, and when chained with the application's file upload functionality, enables remote code execution (RCE) with high impacts on confidentiality, integrity, and availability.

Mitigation details and advisories are documented in the GitHub repository at https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md, while the OpenSourcePOS project repository at https://github.com/opensourcepos/opensourcepos may provide patches or updates.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to…

more

achieve Remote Code Execution (RCE).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

LFI vulnerability in public-facing web application enables arbitrary file reads over the network with low privileges and can chain to RCE, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68434Same product: Opensourcepos Open Source Point Of Sale
CVE-2026-32888Same product: Opensourcepos Open Source Point Of Sale
CVE-2025-70093Same product: Opensourcepos Open Source Point Of Sale
CVE-2025-12352Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2025-13067Shared CWE-434
CVE-2025-54449Shared CWE-434
CVE-2025-1070Shared CWE-434
CVE-2025-12528Shared CWE-434
CVE-2025-67325Shared CWE-434

Affected Assets

opensourcepos
open source point of sale
3.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents LFI by validating and sanitizing the Invoice Type input parameter to block path traversal and arbitrary file reads.

prevent

Remediates the specific flaw in Sales.php::getInvoice() through timely patching or updates to eliminate the vulnerability.

prevent

Enforces access control policies to restrict low-privileged users from reading arbitrary files, mitigating exploitation even if input flaws exist.

References