Cyber Resilience

CVE-2026-32888

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32888 is a high-severity SQL Injection (CWE-89) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32888 is an SQL injection vulnerability (CWE-89) affecting Open Source Point of Sale, a web-based point-of-sale application written in PHP using the CodeIgniter framework. The issue exists in the Items search functionality, specifically when the custom attribute search feature (search_custom filter) is enabled. In this scenario, user-supplied input from the 'search' GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization, enabling arbitrary SQL query execution. The vulnerability was published on 2026-03-20 and carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker possessing basic item search permissions can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the execution of arbitrary SQL queries against the underlying database, potentially resulting in unauthorized data access, modification, or deletion, with high impacts on confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-hmjv-wm3j-pfhw) notes that no patch existed at the time of publication. Security practitioners should review the advisory for any subsequent updates and consider disabling the custom attribute search feature as an interim mitigation measure while monitoring the project repository for fixes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from…

more

the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in network-accessible web app directly enables exploitation of public-facing applications (T1190); arbitrary SQL execution on backend DB directly facilitates data access from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26746Same product: Opensourcepos Open Source Point Of Sale
CVE-2025-68434Same product: Opensourcepos Open Source Point Of Sale
CVE-2025-70093Same product: Opensourcepos Open Source Point Of Sale
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89

Affected Assets

opensourcepos
open source point of sale
≤ 3.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied inputs such as the 'search' GET parameter to prevent SQL injection via unsanitized interpolation into HAVING clauses.

prevent

Mandates timely identification, reporting, and remediation of specific flaws like this SQL injection vulnerability through patching or code correction.

detect

Provides vulnerability scanning to detect SQL injection issues in web applications like the Items search functionality before exploitation by authenticated users.

References