AI description
CVE-2025-41011 describes an HTML injection vulnerability found in PHP Point of Sale version 19.4. This flaw allows an attacker to render arbitrary HTML content within the victim's browser. The vulnerability stems from insufficient validation of user-supplied input. An attacker can exploit this by sending a crafted request to the '/reports/generate/specific_customer' endpoint, specifically manipulating the 'start_date_formatted' and 'end_date_formatted' parameters to inject HTML.
- Description
- HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.
- Source
- cve-coordination@incibe.es
- NVD status
- Analyzed
- Products
- php_point_of_sale
CVSS 4.0
- Type
- Secondary
- Base score
- 5.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- cve-coordination@incibe.es
- CWE-79
- Hype score
- Not currently trending
🚨*CVE* CVE-2025-41011 HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validati… https://t.co/YC9rxWe5P4 ----- Traducción: CVE-2025-41011 vul… https://t.co/utmtNg
@infoflowcloud
21 Apr 2026
86 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-41011 HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validati… https://t.co/GJNN7FjXlb
@CVEnew
21 Apr 2026
121 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
⚠️#INCIBEaviso | Inyección SQL en Zeon Academy Pro de #ZeonGlobalTech #CVE CVE-2025-41011 https://t.co/r7rNeXWH4G #AvisosDeSeguridad #TI #CNA #0day
@incibe_cert
21 Apr 2026
456 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️#INCIBEaviso | Inyección HTML en #PHPPointOfSale #CVE CVE-2025-41011 https://t.co/pPXkublL2i #AvisosDeSeguridad #TI #CNA #0day
@incibe_cert
21 Apr 2026
341 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phppointofsale:php_point_of_sale:19.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BBDF5FB1-9410-4D20-9AD4-3B57EC85D270",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]