{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32712", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.824Z", "datePublished": "2026-04-07T20:37:30.661Z", "dateUpdated": "2026-04-08T14:32:34.191Z"}, "containers": {"cna": {"title": "Open Source Point of Sale has Stored XSS in Customer Name (Sales)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp"}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"version": "< 3.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:37:30.661Z"}, "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "source": {"advisory": "GHSA-hcfr-9hfv-mcwp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:32:23.795122Z", "id": "CVE-2026-32712", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:32:34.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32712", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:32:23.795122Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:32:29.151Z"}}], "cna": {"title": "Open Source Point of Sale has Stored XSS in Customer Name (Sales)", "source": {"advisory": "GHSA-hcfr-9hfv-mcwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"status": "affected", "version": "< 3.4.3"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:37:30.661Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32712", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:32:34.191Z", "dateReserved": "2026-03-13T14:33:42.824Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T20:37:30.661Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "matchCriteriaId": "33CA1AD1-86E9-4A57-8D1D-48AC5FEA0AE8", "versionEndExcluding": "3.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "id": "CVE-2026-32712", "lastModified": "2026-04-14T18:45:18.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T21:17:16.430", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opensourcepos", "source": "cna", "vendor": "opensourcepos"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-04-14T20:58:24.701311+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch to upgrade to version 3.4.3 or later.", "If upgrading immediately is not possible, restrict customer\u2011management permissions to trusted users only or temporarily disable modification of customer name fields.", "Modify the bootstrap\u2011table configuration to enable output escaping for the customer_name column so that all input is rendered safely.", "Monitor the application logs for attempts to inject script payloads and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "A stored cross\u2011site scripting vulnerability allows attackers to inject and execute arbitrary JavaScript in the browser of any user who views the Daily Sales page."}, "threat_synthesis": {"affected_systems": "The affected product is Open Source Point of Sale from the opensourcepos vendor. Versions older than 3.4.3 contain the flaw; the issue was fixed in release 3.4.3 and later.", "description_and_impact": "Open Source Point of Sale contains a stored XSS flaw in the customer_name column of the Daily Sales management table. The column is rendered without escaping, so an attacker who has customer\u2011management privileges can insert JavaScript into a customer's first or last name. When any user opens the Daily Sales page, the malicious script runs in that user\u2019s browser, enabling actions such as session hijacking, data theft, or page defacement. The vulnerability is client\u2011side only; it does not provide direct server\u2011side code execution.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to possess customer\u2011management permissions, which implies a privileged or compromised account. Once the conditions are met, the attack can execute arbitrary client\u2011side scripts, but it does not allow direct compromise of the server or other users\u2019 accounts beyond the vulnerable session."}}}}, "created": "2026-04-08T19:34:17.719498+00:00", "updated": "2026-04-15T16:15:11.968918+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}