CVE-2026-26746

HighPublic PoC

Published: 20 February 2026

Published

20 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to…

achieve Remote Code Execution (RCE).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents LFI by validating and sanitizing the Invoice Type input parameter to block path traversal and arbitrary file reads.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in Sales.php::getInvoice() through timely patching or updates to eliminate the vulnerability.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict low-privileged users from reading arbitrary files, mitigating exploitation even if input flaws exist.

Security SummaryAI

CVE-2026-26746 is a Local File Inclusion (LFI) vulnerability in OpenSourcePOS version 3.4.1, specifically within the Sales.php::getInvoice() function. By manipulating the Invoice Type configuration, an attacker can read arbitrary files on the affected web server. This issue, published on 2026-02-20, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-434.

The vulnerability can be exploited over the network by an attacker with low privileges, such as a logged-in user, requiring low complexity and no user interaction. Successful exploitation allows arbitrary file reads, and when chained with the application's file upload functionality, enables remote code execution (RCE) with high impacts on confidentiality, integrity, and availability.

Mitigation details and advisories are documented in the GitHub repository at https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md, while the OpenSourcePOS project repository at https://github.com/opensourcepos/opensourcepos may provide patches or updates.

Details

CWE(s): CWE-434

Affected Products

opensourcepos

open source point of sale

3.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

LFI vulnerability in public-facing web application enables arbitrary file reads over the network with low privileges and can chain to RCE, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md
Exploit, Mitigation, Third Party Advisory · cve@mitre.org
https://github.com/opensourcepos/opensourcepos
Product · cve@mitre.org