{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5561", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T14:02:58.664Z", "datePublished": "2026-04-05T10:45:13.245Z", "dateUpdated": "2026-04-06T15:28:34.132Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T10:45:13.245Z"}, "title": "Campcodes Complete POS Management and Inventory System Environment Variable SettingsController.php injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-707", "lang": "en", "description": "Improper Neutralization"}]}], "affected": [{"vendor": "Campcodes", "product": "Complete POS Management and Inventory System", "versions": [{"version": "4.0.0", "status": "affected"}, {"version": "4.0.1", "status": "affected"}, {"version": "4.0.2", "status": "affected"}, {"version": "4.0.3", "status": "affected"}, {"version": "4.0.4", "status": "affected"}, {"version": "4.0.5", "status": "affected"}, {"version": "4.0.6", "status": "affected"}], "modules": ["Environment Variable Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T16:09:13.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "chenkh (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355331", "name": "VDB-355331 | Campcodes Complete POS Management and Inventory System Environment Variable SettingsController.php injection", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355331/cti", "name": "VDB-355331 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782934", "name": "Submit #782934 | CampCodes Administrator Complete POS Management And Inventory System v4.0.6 remote", "tags": ["third-party-advisory"]}, {"url": "https://github.com/whatyourname12345/CVE/blob/main/POS/cve.md", "tags": ["exploit"]}, {"url": "https://www.campcodes.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:28:25.412934Z", "id": "CVE-2026-5561", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:28:34.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5561", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:28:25.412934Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:28:29.966Z"}}], "cna": {"tags": ["x_freeware"], "title": "Campcodes Complete POS Management and Inventory System Environment Variable SettingsController.php injection", "credits": [{"lang": "en", "type": "reporter", "value": "chenkh (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Campcodes", "modules": ["Environment Variable Handler"], "product": "Complete POS Management and Inventory System", "versions": [{"status": "affected", "version": "4.0.0"}, {"status": "affected", "version": "4.0.1"}, {"status": "affected", "version": "4.0.2"}, {"status": "affected", "version": "4.0.3"}, {"status": "affected", "version": "4.0.4"}, {"status": "affected", "version": "4.0.5"}, {"status": "affected", "version": "4.0.6"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T16:09:13.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355331", "name": "VDB-355331 | Campcodes Complete POS Management and Inventory System Environment Variable SettingsController.php injection", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355331/cti", "name": "VDB-355331 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782934", "name": "Submit #782934 | CampCodes Administrator Complete POS Management And Inventory System v4.0.6 remote", "tags": ["third-party-advisory"]}, {"url": "https://github.com/whatyourname12345/CVE/blob/main/POS/cve.md", "tags": ["exploit"]}, {"url": "https://www.campcodes.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-707", "description": "Improper Neutralization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T10:45:13.245Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5561", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:28:34.132Z", "dateReserved": "2026-04-04T14:02:58.664Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T10:45:13.245Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized."}], "id": "CVE-2026-5561", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T11:16:56.790", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/whatyourname12345/CVE/blob/main/POS/cve.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782934"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355331"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355331/cti"}, {"source": "cna@vuldb.com", "url": "https://www.campcodes.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-707"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "complete_pos_management_and_inventory_system", "vendor": "campcodes"}], "analysis": {"en": {"generated_at": "2026-04-05T14:21:13.265232+00:00", "value": {"mitigation_remediation": ["Upgrade Campcodes Complete POS Management and Inventory System to a version newer than 4.0.6 once available from the vendor.", "If an upgrade is not immediately possible, restrict the input to the Environment Variable Handler to a whitelist of safe values or apply input sanitization to eliminate injection vectors.", "Monitor the system for anomalous environment variable changes or unexpected command execution, and review logs for suspicious activity.", "Coordinate with Campcodes support to obtain official patch or workaround details as they become available."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Campcodes Complete POS Management and Inventory System up to version 4.0.6 are impacted. The affected component is the SettingsController.php file within the Environment Variable Handler. Users of earlier versions are not affected.", "description_and_impact": "A vulnerability exists in the Environment Variable Handler component of Campcodes Complete POS Management and Inventory System, specifically affecting an undisclosed function in app/Http/Controllers/SettingsController.php. The flaw permits injection of malicious input, which can lead to the execution of unintended commands or alteration of critical environment settings. Because injection occurs in code that manages system configuration, an attacker may compromise the integrity of the application or gain unauthorized access to the underlying operating system. The vulnerability is classed as an injection weakness (CWE-707 and CWE-74) and could compromise confidentiality, integrity, and availability of the POS environment.", "risk_and_exploitability": "The CVSS score for this issue is 5.3, reflecting moderate severity. An EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, the description states that exploitation can be performed remotely and that the exploit has been publicly disclosed. Likely attack vectors include sending crafted input to the SettingsController endpoint via an HTTP request, allowing unauthorized manipulation of environment variables or execution of injected code. Although the severity is moderate, the remote nature and public disclosure make it a significant risk worth addressing promptly."}}}}, "created": "2026-04-06T20:26:18.224407+00:00", "updated": "2026-04-06T21:56:52.273430+00:00", "vendors": ["campcodes", "campcodes$PRODUCT$complete_pos_management_and_inventory_system"]}