CVE-2026-8803
Received Received - Intake
Weak Hash Usage in OpenSourcePOS Employee Login

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: VulDB

Description
A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensourcepos opensourcepos to 3.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in the Open Source Point of Sale (opensourcepos) software up to version 3.4.2, specifically in the Employee Login function within the file app/Models/Employee.php. The issue involves the use of a weak hash function for passwords, which could potentially be exploited remotely. However, the attack is considered to have high complexity and is difficult to exploit. Additionally, the vendor notes that the weak hash code remains only to support upgrade paths and that passwords are migrated to a stronger hash after login. The weak hash is not actively used once a password is changed.

Impact Analysis

The impact of this vulnerability is related to the potential use of weak password hashing, which could allow an attacker to compromise employee login credentials if they manage to exploit the flaw. However, the exploitability is difficult and the attack complexity is high, reducing the likelihood of successful exploitation. Since the weak hash is only used temporarily during upgrade and replaced after login or password change, the risk is somewhat mitigated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart