CVE-2025-40980

Name of the Vulnerable Software and Affected Versions UltimatePOS (affected versions not specified)

Description A Stored Cross Site Scripting vulnerability exists in UltimatePOS due to inadequate validation of user inputs. The vulnerability affects the name parameter via a POST request to the /products/<PRODUCT ID>/edit API endpoint. A remote attacker could potentially send a specially crafted query to an authenticated user and steal session cookie details.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.