Security Advisory

CVE-2026-26746

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-20 00:00:00

Last updated 2026-02-23 20:12:05

Assigner mitre

State PUBLISHED

Description

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).

← Browse all CVEs View on cve.org ↗