CVE-2026-33730

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale (opensourcepos) versions prior to 3.4.2

Description The application is a web-based point of sale system written in PHP using the CodeIgniter framework. A security issue exists where an authenticated user with limited privileges can access the password change functionality for other users, including administrators. This is possible by manipulating the employee id parameter without proper authorization checks or verification of object ownership. The application does not verify that the current user has permission to modify the account associated with the specified employee id. Version 3.4.2 introduces object-level authorization checks to validate ownership of the employee id being accessed.

Recommendations Versions prior to 3.4.2 should be updated to version 3.4.2 or later.