CVE-2025-70094 - Vulnerability Details - OpenCVE

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70094.md
https://github.com/opensourcepos/opensourcepos/pull/4357
https://www.opensourcepos.org

History

Fri, 13 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.
References		https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70094.md https://github.com/opensourcepos/opensourcepos/pull/4357 https://www.opensourcepos.org

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-13T00:00:00.000Z

Updated: 2026-02-13T16:36:56.152Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70094

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-13T16:16:10.977

Modified: 2026-02-13T16:16:10.977

Link: CVE-2025-70094

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70094", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-13T16:36:56.152Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-02-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-13T15:25:19.979Z"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.opensourcepos.org"}, {"url": "https://github.com/opensourcepos/opensourcepos/pull/4357"}, {"url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70094.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2025-70094.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T16:35:40.120725Z", "id": "CVE-2025-70094", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T16:36:56.152Z"}}]}, "dataVersion": "5.2"}