CVE-2025-41011
Awaiting Analysis Awaiting Analysis - Queue
HTML Injection in PHP Point of Sale Reports Allows Browser Exploitation

Publication date: 2026-04-21

Last updated on: 2026-05-06

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41011
EUVD
EUVD-2025-209543
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phppointofsale php_point_of_sale 19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-41011 is an HTML injection vulnerability found in PHP Point Of Sale version 19.4, a sales software.

This vulnerability occurs because the software does not properly validate user input in the 'start_date_formatted' and 'end_date_formatted' parameters when a request is sent to the endpoint '/reports/generate/specific_customer'.

As a result, an attacker can inject and render arbitrary HTML code in the victim's browser, potentially leading to malicious effects.

Impact Analysis

This vulnerability allows an attacker to inject arbitrary HTML into the victim's browser, which can lead to various security issues such as phishing, session hijacking, or defacement of the web interface.

Since the vulnerability requires user interaction (UI:A) and has a medium severity score (CVSS 5.1), the impact depends on the attacker's ability to trick users into triggering the malicious input.

Detection Guidance

This vulnerability can be detected by monitoring or testing requests sent to the endpoint '/reports/generate/specific_customer' in PHP Point of Sale version 19.4, specifically by examining the parameters 'start_date_formatted' and 'end_date_formatted' for improper input validation that allows HTML injection.

A practical approach is to send crafted HTTP requests to this endpoint with HTML or script tags embedded in the 'start_date_formatted' and 'end_date_formatted' parameters and observe if the injected HTML is rendered in the response or victim's browser.

Example command using curl to test for the vulnerability:

  • curl -X POST 'http://<target-ip-or-domain>/reports/generate/specific_customer' -d 'start_date_formatted=<script>alert(1)</script>&end_date_formatted=2026-01-01'

If the response or the rendered page executes or displays the injected HTML/script, the system is vulnerable.

Mitigation Strategies

Currently, no official patch or solution has been reported for this vulnerability.

Immediate mitigation steps include:

  • Restrict access to the vulnerable endpoint '/reports/generate/specific_customer' to trusted users only.
  • Implement input validation or sanitization on the parameters 'start_date_formatted' and 'end_date_formatted' at the web application firewall (WAF) or proxy level to block malicious HTML or script content.
  • Monitor logs for suspicious requests containing HTML or script tags targeting these parameters.
  • Educate users to be cautious about interacting with suspicious links or inputs that might exploit this vulnerability.
Compliance Impact

The provided information does not specify how the HTML injection vulnerability in PHP Point of Sale v19.4 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart