{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26745", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-23T20:22:06.979Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:38:55.616Z"}, "descriptions": [{"lang": "en", "value": "OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos"}, {"url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T20:21:59.506238Z", "id": "CVE-2026-26745", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:22:06.979Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26745", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T20:21:59.506238Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:21:47.317Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos"}, {"url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md"}], "descriptions": [{"lang": "en", "value": "OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:38:55.616Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26745", "state": "PUBLISHED", "dateUpdated": "2026-02-23T20:22:06.979Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "8EC6C4DB-C7B4-46A5-9479-851918C55014", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed."}, {"lang": "es", "value": "OpenSourcePOS 3.4.1 tiene una vulnerabilidad de inyecci\u00f3n SQL de segundo orden en el manejo del campo de configuraci\u00f3n currency_symbol. Aunque la entrada se almacena inicialmente sin ejecuci\u00f3n inmediata, posteriormente se concatena en una consulta SQL construida din\u00e1micamente sin la sanitizaci\u00f3n o el enlace de par\u00e1metros adecuados. Esto permite a un atacante con acceso para modificar el valor de currency_symbol inyectar expresiones SQL arbitrarias, las cuales se ejecutan cuando la consulta afectada es procesada posteriormente."}], "id": "CVE-2026-26745", "lastModified": "2026-02-24T20:45:24.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T17:25:55.807", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/opensourcepos/opensourcepos"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.4.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-04-18T11:37:46.269135+00:00", "value": {"mitigation_remediation": ["Update to a patched release of OpenSourcePOS that corrects the handling of the currency_symbol field", "Restrict write access to the currency_symbol configuration to trusted administrators only, preventing untrusted users from altering the value", "Implement input validation or sanitize the currency_symbol value before storing or using it in any SQL query to block injection attempts"], "summary": {"action": "Patch Now", "impact": "Data Compromise and Unauthorized Database Access"}, "threat_synthesis": {"affected_systems": "The affected software is OpenSourcePOS, an open\u2011source point\u2011of\u2011sale application, specifically version 3.4.1 No other vendors or products are listed as impacted.", "description_and_impact": "OpenSourcePOS version 3.4.1 contains a second\u2011order SQL injection vulnerability in the handling of the currency_symbol configuration field. The input is stored as entered and later concatenated into a dynamically constructed SQL query without sanitization or parameter binding. This flaw allows an attacker who can modify the currency_symbol value to inject arbitrary SQL expressions that are executed when the query is processed, potentially exposing or altering sensitive data. The weakness is identified as CWE\u201189.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits are documented. Exploitation requires the attacker to have permissions to modify the currency_symbol setting, typically through administrative access to the application shell or configuration interface. The likely attack vector is a privileged user changing the configuration, and based on the description, it is inferred that once that access is achieved the attacker can execute arbitrary SQL commands, compromising database confidentiality and integrity."}}}}, "created": "2026-02-23T14:47:22.334684+00:00", "title": "Second\u2011Order SQL Injection in OpenSourcePOS 3.4.1 Currency Symbol Setting", "updated": "2026-04-18T11:45:44.593736+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}