SQL Injection Vulnerability in Open Source Point of Sale by Open Source Point of Sale
CVE-2026-32888

8.8HIGH

Key Information:

Vendor: Opensourcepos
Status: Opensourcepos
Vendor: CVE Published:; 20 March 2026

🔔 Create Opensourcepos Vulnerability Alert

What is CVE-2026-32888?

The Open Source Point of Sale application, built on the CodeIgniter framework, is vulnerable to SQL injection through its Items search functionality. When the custom attribute search feature is activated, user input provided via the search GET parameter is directly interpolated into a HAVING clause without any form of parameterization or sanitization. This vulnerability could allow an authenticated attacker, possessing basic search permissions, to execute arbitrary SQL queries and potentially access sensitive data. At the time of publication, no patch was available to address this issue.

Affected Version(s)

opensourcepos <= 3.4.1

References

https://github.com/opensourcepos/opensourcepos/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 16, 2026

CVE-2026-32888 Data

JSON