Platform
php
Component
codeigniter
Fixed in
3.4.4
CVE-2026-39380 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Open Source Point of Sale application, a PHP-based point-of-sale system built on the CodeIgniter framework. This vulnerability allows attackers to inject malicious JavaScript code, which is then stored in the database and executed when the Employees interface is rendered. The vulnerability impacts versions 1.0.0 through 3.4.2, and a fix is available in version 3.4.3.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's interface. An attacker could potentially gain access to sensitive data, such as customer information or financial records, depending on the privileges of the affected user. The stored nature of the vulnerability means that the malicious script persists in the database, potentially affecting multiple users over time.
CVE-2026-39380 was publicly disclosed on 2026-04-07. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is rated as MEDIUM, suggesting a moderate probability of exploitation. It has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39380 is to upgrade Open Source Point of Sale to version 3.4.3 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the stock_location parameter to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and sanitize user-supplied data to minimize the risk of XSS vulnerabilities.
Update to version 3.4.3 or higher to mitigate the XSS vulnerability. The update corrects the lack of user input sanitization in the 'stock_location' parameter, preventing the injection of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39380 is a Stored Cross-Site Scripting (XSS) vulnerability in Open Source Point of Sale versions 1.0.0 through 3.4.2, allowing attackers to inject malicious JavaScript code.
You are affected if you are using Open Source Point of Sale versions 1.0.0 through 3.4.2. Upgrade to version 3.4.3 to resolve the vulnerability.
Upgrade Open Source Point of Sale to version 3.4.3 or later. Implement input validation and output encoding as a temporary workaround.
There is no confirmed active exploitation of CVE-2026-39380 at this time, but the vulnerability is publicly known.
Refer to the Open Source Point of Sale project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.