CVE-2026-32888
- Source
- https://cve.org/CVERecord?id=CVE-2026-32888
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32888.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32888
- Aliases
-
- GHSA-hmjv-wm3j-pfhw
- Published
- 2026-03-20T02:14:34.995Z
- Modified
- 2026-04-10T05:42:30.982858Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality
- Details
-
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.
- Database specific
{ "cwe_ids": [ "CWE-89" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32888.json" }- References