Home > Vulnerability Database > CVE-2025-63800

Mend.io Vulnerability Database

CVE-2025-63800

Good to know:

Date: November 17, 2025

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the "password" and "repeat_password" parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-63800

Url: https://github.com/opensourcepos/opensourcepos

Url: https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800

Url: https://opensourcepos.org/

Url: https://www.mend.io/vulnerability-database/CVE-2025-63800

Severity Score

7.5

Weakness Type (CWE)

Weak Password Requirements

CWE-521

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-63800

Good to know:

Date: November 17, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?