Description

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.

INFO

Published Date :

2026-03-20T02:14:34.995Z

Last Modified :

2026-03-25T14:26:31.519Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32888 vulnerability.

Vendors Products
Opensourcepos
  • Open Source Point Of Sale
  • Opensourcepos
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32888.

URL Resource
https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact