Description
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection Allowing Database Access
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an SQL injection that occurs when user supplied input to the item search GET parameter is placed directly into an HAVING clause without parameterization or sanitization. An attacker with valid item search permissions can inject arbitrary SQL commands, which can lead to disclosure of confidential data or modification of inventory records, impacting the integrity and confidentiality of the database.

Affected Systems

The flaw exists in the Open Source Point of Sale application, a PHP web application built on the CodeIgniter framework. All releases that include the Items search functionality with the custom attribute search feature are affected. No specific version ranges are provided in the advisory.

Risk and Exploitability

The CVSS score of 8.8 signifies a high severity, while the EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with permissions to perform item searches and to use the search_custom filter. The likely attack vector is web-based input manipulation through the search interface.

Generated by OpenCVE AI on April 8, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the latest patch from the Open Source Point of Sale project as soon as it becomes available
  • If a patch is not yet available, disable or remove the search_custom filter from the Items search function to eliminate the injection path
  • Restrict the item search permission to trusted users and review role assignments periodically
  • Monitor database logs for anomalous queries that could indicate exploitation activity

Generated by OpenCVE AI on April 8, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos open Source Point Of Sale
CPEs cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
Vendors & Products Opensourcepos open Source Point Of Sale

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos
Opensourcepos opensourcepos
Vendors & Products Opensourcepos
Opensourcepos opensourcepos

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.
Title Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Opensourcepos Open Source Point Of Sale Opensourcepos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:26:31.519Z

Reserved: 2026-03-16T21:03:44.421Z

Link: CVE-2026-32888

cve-icon Vulnrichment

Updated: 2026-03-25T14:26:23.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:15:59.707

Modified: 2026-04-08T20:54:00.880

Link: CVE-2026-32888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:43Z

Weaknesses