CVE-2026-26745

Second‑Order SQL Injection in OpenSourcePOS 3.4.1 Currency Symbol Setting

Description

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.

INFO

Published Date :

2026-02-20T00:00:00.000Z

Last Modified :

2026-02-23T20:22:06.979Z

Source :

mitre

AFFECTED PRODUCTS

The following products are affected by CVE-2026-26745 vulnerability.

Vendors	Products
Opensourcepos	Open Source Point Of Sale Opensourcepos

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26745.

URL	Resource
https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md
https://github.com/opensourcepos/opensourcepos

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact