Home / Vulnerability Intelligence / CVE-2026-32888

CVE-2026-32888 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 20, 2026

Open Source Point of Sale - SQL Injection

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

Open Source Point of Sale contains an SQL Injection caused by unsanitized user input in the Items search functionality's HAVING clause, letting authenticated attackers with item search permissions execute arbitrary SQL queries.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated attackers can execute arbitrary SQL queries, potentially leading to data disclosure or modification.

Mitigation

Update to the latest version once a patch is available.

References

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32888
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: new

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H