CVE ID: CVE-2026-26746 Vulnerability Type: Local File Inclusion (LFI) and Directory Traversal (CWE-22) Affected Product: OpenSourcePOS Affected Version: 3.4.1 Affected Component: Sales Module / Configuration Impact: Remote Code Execution (RCE) and Sensitivity Data Exposure 1. Executive Summary Critical vulnerability in OpenSourcePOS 3.4.1 allows authenticated attacker to perform LFI. Manipulating configuration can lead to directory traversal and include arbitrary files. Combining with file upload functionality can escalate to RCE. 2. Technical Analysis Vulnerability in function. Application retrieves from a database and passes it to function without sanitization. Attacker can use sequences to include any file. 3. Proof of Concept (PoC) Inject path traversal payload via Invoice Type. Trigger Local File Inclusion. Prepare a malicious file for RCE. 4. Impact System Compromise: Full RCE allows arbitrary system commands. Data Breach: Sensitive configuration files (e.g., .env) are readable. 5. Remediation Implement input validation and sanitization. Use for directory paths. Harden the system by disabling PHP execution in the directory.