opensourcepos CVE Vulnerabilities & Metrics

Focus on opensourcepos vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About opensourcepos Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with opensourcepos. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total opensourcepos CVEs: 5
Earliest CVE date: 28 Jul 2022, 20:15 UTC
Latest CVE date: 17 Dec 2025, 18:15 UTC

Latest CVE reference: CVE-2025-66924

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 4

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical opensourcepos CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS opensourcepos CVEs

These are the five CVEs with the highest CVSS scores for opensourcepos, sorted by severity first and recency.

CVE-2025-66924 opensourcepos Published on 17 Dec 2025, 18:15 UTC (CVSS: 0)
A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
CVE-2025-66923 opensourcepos Published on 17 Dec 2025, 18:15 UTC (CVSS: 0)
A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.
CVE-2025-66921 opensourcepos Published on 17 Dec 2025, 17:15 UTC (CVSS: 0)
A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
CVE-2025-63800 opensourcepos Published on 18 Nov 2025, 16:15 UTC (CVSS: 0)
The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectiv...
CVE-2022-34578 opensourcepos Published on 28 Jul 2022, 20:15 UTC (CVSS: 0)
Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.

All CVEs for opensourcepos

CVE-2025-66924 opensourcepos vulnerability CVSS: 0 17 Dec 2025, 18:15 UTC

A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

CVE-2025-66923 opensourcepos vulnerability CVSS: 0 17 Dec 2025, 18:15 UTC

A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.

CVE-2025-66921 opensourcepos vulnerability CVSS: 0 17 Dec 2025, 17:15 UTC

A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

CVE-2025-63800 opensourcepos vulnerability CVSS: 0 18 Nov 2025, 16:15 UTC

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.

CVE-2022-34578 opensourcepos vulnerability CVSS: 0 28 Jul 2022, 20:15 UTC

Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.