CVE-2025-41011
HTML Injection in PHP Point of Sale Reports Allows Browser Exploitation
Publication date: 2026-04-21
Last updated on: 2026-05-06
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phppointofsale | php_point_of_sale | 19.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41011 is an HTML injection vulnerability found in PHP Point Of Sale version 19.4, a sales software.
This vulnerability occurs because the software does not properly validate user input in the 'start_date_formatted' and 'end_date_formatted' parameters when a request is sent to the endpoint '/reports/generate/specific_customer'.
As a result, an attacker can inject and render arbitrary HTML code in the victim's browser, potentially leading to malicious effects.
How can this vulnerability impact me? :
This vulnerability allows an attacker to inject arbitrary HTML into the victim's browser, which can lead to various security issues such as phishing, session hijacking, or defacement of the web interface.
Since the vulnerability requires user interaction (UI:A) and has a medium severity score (CVSS 5.1), the impact depends on the attacker's ability to trick users into triggering the malicious input.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing requests sent to the endpoint '/reports/generate/specific_customer' in PHP Point of Sale version 19.4, specifically by examining the parameters 'start_date_formatted' and 'end_date_formatted' for improper input validation that allows HTML injection.
A practical approach is to send crafted HTTP requests to this endpoint with HTML or script tags embedded in the 'start_date_formatted' and 'end_date_formatted' parameters and observe if the injected HTML is rendered in the response or victim's browser.
Example command using curl to test for the vulnerability:
- curl -X POST 'http://<target-ip-or-domain>/reports/generate/specific_customer' -d 'start_date_formatted=<script>alert(1)</script>&end_date_formatted=2026-01-01'
If the response or the rendered page executes or displays the injected HTML/script, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Currently, no official patch or solution has been reported for this vulnerability.
Immediate mitigation steps include:
- Restrict access to the vulnerable endpoint '/reports/generate/specific_customer' to trusted users only.
- Implement input validation or sanitization on the parameters 'start_date_formatted' and 'end_date_formatted' at the web application firewall (WAF) or proxy level to block malicious HTML or script content.
- Monitor logs for suspicious requests containing HTML or script tags targeting these parameters.
- Educate users to be cautious about interacting with suspicious links or inputs that might exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the HTML injection vulnerability in PHP Point of Sale v19.4 impacts compliance with common standards and regulations such as GDPR or HIPAA.