Home / Vulnerability Intelligence / CVE-2026-32888

CVE-2026-32888 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 20, 2026

Open Source Point of Sale - SQL Injection

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

Open Source Point of Sale contains an SQL Injection caused by unsanitized user input in the Items search functionality's HAVING clause, letting authenticated attackers with item search permissions execute arbitrary SQL queries.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 2.5%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary SQL queries, potentially leading to data disclosure or modification.

Mitigation

Update to the latest version once a patch is available.

References

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 22, 2026

🟠 CVE-2026-32888 - High (8.8) Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32888/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32888
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: unconfirmed
EPSS: 2.5%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.5%Probability of exploitation in the next 30 days