{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.421Z", "datePublished": "2026-03-20T02:14:34.995Z", "dateUpdated": "2026-03-25T14:26:31.519Z"}, "containers": {"cna": {"title": "Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw"}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"version": "<= 3.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:14:34.995Z"}, "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication."}], "source": {"advisory": "GHSA-hmjv-wm3j-pfhw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:25:55.079535Z", "id": "CVE-2026-32888", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:26:31.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32888", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:25:55.079535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:26:23.752Z"}}], "cna": {"title": "Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality", "source": {"advisory": "GHSA-hmjv-wm3j-pfhw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"status": "affected", "version": "<= 3.4.1"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw", "name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:14:34.995Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32888", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:26:31.519Z", "dateReserved": "2026-03-16T21:03:44.421Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:14:34.995Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "matchCriteriaId": "A212E29B-410C-462B-AA6F-CF02175A6913", "versionEndIncluding": "3.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication."}, {"lang": "es", "value": "Open Source Point de Sale es una aplicaci\u00f3n de punto de venta basada en web escrita en PHP utilizando el framework CodeIgniter. Las versiones contienen una inyecci\u00f3n SQL en la funcionalidad de b\u00fasqueda de Art\u00edculos. Cuando la funci\u00f3n de b\u00fasqueda de atributos personalizados est\u00e1 habilitada (filtro search_custom), la entrada proporcionada por el usuario desde el par\u00e1metro GET de b\u00fasqueda se interpola directamente en una cl\u00e1usula HAVING sin parametrizaci\u00f3n ni saneamiento. Esto permite a un atacante autenticado con permisos b\u00e1sicos de b\u00fasqueda de art\u00edculos ejecutar consultas SQL arbitrarias. No exist\u00eda un parche en el momento de la publicaci\u00f3n."}], "id": "CVE-2026-32888", "lastModified": "2026-04-08T20:54:00.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:15:59.707", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opensourcepos", "source": "cna", "vendor": "opensourcepos"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-04-08T23:38:54.283836+00:00", "value": {"mitigation_remediation": ["Obtain and apply the latest patch from the Open Source Point of Sale project as soon as it becomes available", "If a patch is not yet available, disable or remove the search_custom filter from the Items search function to eliminate the injection path", "Restrict the item search permission to trusted users and review role assignments periodically", "Monitor database logs for anomalous queries that could indicate exploitation activity"], "summary": {"action": "Immediate Patch", "impact": "SQL Injection Allowing Database Access"}, "threat_synthesis": {"affected_systems": "The flaw exists in the Open Source Point of Sale application, a PHP web application built on the CodeIgniter framework. All releases that include the Items search functionality with the custom attribute search feature are affected. No specific version ranges are provided in the advisory.", "description_and_impact": "This vulnerability is an SQL injection that occurs when user supplied input to the item search GET parameter is placed directly into an HAVING clause without parameterization or sanitization. An attacker with valid item search permissions can inject arbitrary SQL commands, which can lead to disclosure of confidential data or modification of inventory records, impacting the integrity and confidentiality of the database.", "risk_and_exploitability": "The CVSS score of 8.8 signifies a high severity, while the EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with permissions to perform item searches and to use the search_custom filter. The likely attack vector is web-based input manipulation through the search interface."}}}}, "created": "2026-03-20T08:53:06.252798+00:00", "updated": "2026-04-09T08:29:43.112185+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}