{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39380", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.515Z", "datePublished": "2026-04-07T19:49:13.692Z", "dateUpdated": "2026-04-08T15:49:45.758Z"}, "containers": {"cna": {"title": "Open Source Point of Sale has Stored XSS in Stock Location (Configuration)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg"}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"version": "< 3.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:49:13.692Z"}, "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3."}], "source": {"advisory": "GHSA-7hg5-68rx-xpmg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:49:41.249084Z", "id": "CVE-2026-39380", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:49:45.758Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39380", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:49:41.249084Z"}}}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:49:36.465Z"}}], "cna": {"title": "Open Source Point of Sale has Stored XSS in Stock Location (Configuration)", "source": {"advisory": "GHSA-7hg5-68rx-xpmg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"status": "affected", "version": "< 3.4.3"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg", "name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:49:13.692Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39380", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:49:45.758Z", "dateReserved": "2026-04-06T22:06:40.515Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:49:13.692Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "matchCriteriaId": "33CA1AD1-86E9-4A57-8D1D-48AC5FEA0AE8", "versionEndExcluding": "3.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied through the stock_location parameter, allowing attackers to inject malicious JavaScript code that is stored in the database and executed when rendered in the Employees interface. This vulnerability is fixed in 3.4.3."}], "id": "CVE-2026-39380", "lastModified": "2026-04-24T17:51:06.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:32.617", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-7hg5-68rx-xpmg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opensourcepos", "source": "cna", "vendor": "opensourcepos"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-04-07T22:17:36.051034+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to Open Source Point of Sale 3.4.3 or newer."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting in the Stock Locations configuration allows malicious JavaScript to be executed when the Employees interface renders data stored in the database, creating a risk of session hijacking or data exfiltration."}, "threat_synthesis": {"affected_systems": "Any installation of Open Source Point of Sale older than version 3.4.3 is affected. The specific vendor is Open Source POS and the product is its web\u2011based point\u2011of\u2011sale application. The vulnerability manifests in the Stock Locations configuration screen, accessed through the web interface.", "description_and_impact": "A vulnerability in earlier releases of Open Source Point of Sale permits the injection of arbitrary JavaScript code through the stock_location parameter. The input is stored in the database without proper sanitization and later rendered in the Employees view. An attacker who can submit such a payload can cause browsers of users who view the affected page to execute the script, potentially stealing session cookies or manipulating the interface.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector involves authenticated access to the configuration interface, but if the application is exposed to unauthenticated users, remote exploitation is possible. Attackers could achieve script execution in the context of legitimate users, compromising confidentiality and integrity of sensitive data."}}}}, "created": "2026-04-08T19:34:34.143810+00:00", "updated": "2026-04-08T19:46:04.902904+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}