CVE-2026-32888
Published: 20 March 2026
Summary
CVE-2026-32888 is a high-severity SQL Injection (CWE-89) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied inputs such as the 'search' GET parameter to prevent SQL injection via unsanitized interpolation into HAVING clauses.
Mandates timely identification, reporting, and remediation of specific flaws like this SQL injection vulnerability through patching or code correction.
Provides vulnerability scanning to detect SQL injection issues in web applications like the Items search functionality before exploitation by authenticated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible web app directly enables exploitation of public-facing applications (T1190); arbitrary SQL execution on backend DB directly facilitates data access from databases (T1213.006).
NVD Description
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from…
more
the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.
Deeper analysisAI
CVE-2026-32888 is an SQL injection vulnerability (CWE-89) affecting Open Source Point of Sale, a web-based point-of-sale application written in PHP using the CodeIgniter framework. The issue exists in the Items search functionality, specifically when the custom attribute search feature (search_custom filter) is enabled. In this scenario, user-supplied input from the 'search' GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization, enabling arbitrary SQL query execution. The vulnerability was published on 2026-03-20 and carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker possessing basic item search permissions can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the execution of arbitrary SQL queries against the underlying database, potentially resulting in unauthorized data access, modification, or deletion, with high impacts on confidentiality, integrity, and availability.
The GitHub security advisory (GHSA-hmjv-wm3j-pfhw) notes that no patch existed at the time of publication. Security practitioners should review the advisory for any subsequent updates and consider disabling the custom attribute search feature as an interim mitigation measure while monitoring the project repository for fixes.
Details
- CWE(s)