SQL Injection Flaw Found in Open Source Point of Sale

/HIGH
SCW vulnerabilitycvetools
SQL Injection Flaw Found in Open Source Point of Sale

CVE Notify is flagging a critical SQL injection vulnerability, CVE-2026-32888, impacting Open Source Point of Sale (OSPOS), a PHP-based web application built on the CodeIgniter framework. The vulnerability lies within the item search functionality, specifically when the custom attribute search feature (search_custom filter) is active. According to CVE Notify, user input from the search GET parameter is directly inserted into a HAVING clause without proper sanitization or parameterization. This oversight allows an authenticated attacker, even with basic item search privileges, to craft malicious queries and execute arbitrary SQL commands against the database. At the time of the advisory’s publication, a patch was not yet available, leaving instances of OSPOS exposed.

This exploit is particularly concerning because it targets an application handling sensitive sales and inventory data. An attacker could potentially exfiltrate customer information, manipulate sales records, or even compromise the integrity of the entire system. The reliance on unparameterized input in database queries is a classic, yet persistent, coding error that can have devastating consequences.

What This Means For You

  • For organizations using Open Source Point of Sale, prioritize patching this vulnerability immediately once a fix is released by the developers. In the interim, consider disabling the 'search_custom' filter feature if possible and implement strict input validation and parameterized queries for all database interactions within your own custom code to prevent similar SQL injection attacks.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Database Components Initial Access T1189 Drive-by Compromise Initial Access

Indicators of Compromise

IDTypeIndicator
CVE-2026-32888 SQLi Open Source Point of Sale, affected versions not specified, Items search functionality, search_custom filter enabled, user-supplied input from search GET parameter interpolated into HAVING clause without sanitization.
CVE-2026-32888 SQLi Open Source Point of Sale, affected versions not specified, CodeIgniter framework, Items search functionality, search_custom filter enabled, user-supplied input from search GET parameter interpolated into HAVING clause without sanitization.

By Shimi's Cyber World Editorial

πŸ›  Recommended Tools

NordVPN Protect your research traffic. Threat protection included.
Our Pick
Proton VPN Secure Core routes traffic through Switzerland, Iceland, and Sweden first.
Recommended
Surfshark Unlimited devices for your security lab. VPN + malware blocker.
Great Value
πŸ›‘οΈ
Want the IOCs from this threat? Get structured IOC exports and weekly threat briefs β€” delivered instantly to your Telegram.
Get My Intel β†’

Found this interesting? Follow us to stay ahead.

Telegram Channel Follow Shimi Cohen Follow Shimi's Cyber World
Share
Telegram LinkedIn WhatsApp Reddit