CVE-2025-70093
Awaiting Analysis Awaiting Analysis - Queue
Arbitrary Code Execution via AJAX Response in OpenSourcePOS

Publication date: 2026-02-13

Last updated on: 2026-02-17

Assigner: MITRE

Description
An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-70093
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensourcepos open_source_point_of_sale 3.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenSourcePOS version 3.4.1 and allows attackers to execute arbitrary code by returning a crafted AJAX response.

The issue is related to improper handling of AJAX responses, specifically the Content-Type headers, which can be manipulated to execute malicious code.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the affected system, potentially leading to unauthorized access, data manipulation, or disruption of service.

This could compromise the integrity and security of the OpenSourcePOS application and any sensitive data it processes.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves improper Content-Type headers in AJAX responses in OpenSourcePOS v3.4.1, which allows attackers to execute arbitrary code via crafted AJAX responses.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can monitor AJAX responses from the OpenSourcePOS application and check if the Content-Type header is set correctly to "application/json".'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the issue include using curl or similar tools to inspect AJAX endpoints for their Content-Type headers. For example:'}, {'type': 'list_item', 'content': 'curl -I http://your-opensourcepos-instance/path/to/ajax/endpoint'}, {'type': 'list_item', 'content': 'Look for the Content-Type header in the response headers. If it is missing or not set to "application/json", the system may be vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, you can use network monitoring tools like Wireshark or browser developer tools to inspect AJAX responses and verify their Content-Type headers.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to ensure that all AJAX responses from OpenSourcePOS set the Content-Type header to "application/json" consistently.'}, {'type': 'paragraph', 'content': 'This can be achieved by applying the fix described in the official pull request #4357, which modifies over 46 instances across 12 controller files to enforce proper JSON response handling.'}, {'type': 'list_item', 'content': 'Update your OpenSourcePOS installation to version 3.4.2 or later where this fix is included.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, manually patch the application by replacing incorrect or missing Content-Type headers in AJAX responses with "application/json" and ensure all AJAX responses use the framework’s response methods correctly.'}, {'type': 'paragraph', 'content': 'Testing after applying the fix is important to verify no regressions occur, especially in UI components like category dropdowns.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart