What is GHSA-pmmv-883q-cfwq?

GHSA-pmmv-883q-cfwq is a security advisory published by GitHub Security Advisories with Medium severity. A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue...

Which CVE IDs does GHSA-pmmv-883q-cfwq cover?

GHSA-pmmv-883q-cfwq covers the following CVE IDs: CVE-2026-8802. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-pmmv-883q-cfwq?

GHSA-pmmv-883q-cfwq has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

GHSA-pmmv-883q-cfwqMediumCVSS 4.3

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue...

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-8802 →

📋 Description

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure.

🔗 References (8)

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5
https://nvd.nist.gov/vuln/detail/CVE-2026-8802
https://github.com/opensourcepos/opensourcepos/pull/4545
https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323
https://vuldb.com/submit/802559
https://vuldb.com/vuln/364435
https://vuldb.com/vuln/364435/cti
https://github.com/advisories/GHSA-pmmv-883q-cfwq