CVE-2026-8802 | opensourcepos Open Source Point of Sale up to 3.4.2 Items.php getPicThumb pic_filename path traversal (GHSA-xq63-3v4g-39r5)

A vulnerability classified as critical was found in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal.

This vulnerability is cataloged as CVE-2026-8802. The attack may be launched remotely. There is no exploit available.

A patch should be applied to remediate this issue.

The vendor was contacted early about this disclosure.VulDB Recent EntriesRead More