CVE-2026-8802 opensourcepos CVE debrief

Who should care

Teams running OpenSourcePOS installations up to 3.4.2, especially administrators, application owners, and security teams responsible for POS environments and any deployment that exposes the affected controller remotely.

Technical summary

The vulnerable code path is `getPicThumb` in `app/Controllers/Items.php`. According to the supplied record, attacker-controlled `pic_filename` input can lead to path traversal (CWE-22), allowing access to paths outside the intended directory boundary. The CVSS vector in the source indicates the issue is network-reachable and does not require user interaction, with low privileges involved. The reference commit `def0c27a0e252668df8d942fc31e16d1edfd7323`, the linked pull request, and the GitHub security advisory all point to the remediation path.

Defensive priority

Medium

Recommended defensive actions

• Apply the upstream fix associated with commit `def0c27a0e252668df8d942fc31e16d1edfd7323` or upgrade to a release that includes it.
• Review `app/Controllers/Items.php` and confirm `pic_filename` handling now constrains file access to the intended directory.
• Restrict access to the affected application surface to trusted users and networks where practical.
• Audit logs and file access behavior for unexpected image-path requests or unusual file reads around the affected endpoint.
• If you maintain a fork, backport the patch and validate it with internal testing before redeployment.

Evidence notes

Primary evidence comes from the NVD record and supplied references. The description states that `getPicThumb` in `app/Controllers/Items.php` is affected and that manipulation of `pic_filename` causes path traversal. NVD metadata lists CWE-22 and a CVSS 4.0 vector with network access and low privileges. The fix is referenced by commit `def0c27a0e252668df8d942fc31e16d1edfd7323`, the linked pull request `#4545`, and the GitHub advisory `GHSA-xq63-3v4g-39r5`.

Official resources