CVE-2026-8803 is reported against opensourcepos Open Source Point of Sale up to 3.4.2 and points to the Employee Login flow in app/Models/Employee.php. The reported issue involves weak hash handling and is described as remotely reachable, but with high complexity and difficult exploitability. Importantly, the vendor says the legacy code remains to support an upgrade path, that the default password is init [truncated]
CVE-2026-8802 describes a path traversal flaw in OpenSourcePOS Open Source Point of Sale up to version 3.4.2. The issue is in `getPicThumb` within `app/Controllers/Items.php`, where the `pic_filename` argument can be manipulated to reach unintended file paths. The vulnerability is remotely reachable and has a published fix in commit `def0c27a0e252668df8d942fc31e16d1edfd7323`. NVD lists the issue as CWE-22 [truncated]