CVE-2026-32888

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale (affected versions not specified)

Description The application is a web-based point-of-sale system developed in PHP using the CodeIgniter framework. It contains a SQL Injection flaw within the Items search functionality. Specifically, when the custom attribute search feature is enabled, input from the search GET parameter is directly incorporated into a HAVING clause without proper sanitization or parameterization. This allows an authenticated attacker with item search permissions to execute arbitrary SQL queries. The API endpoint involved is the item search functionality, accepting the search parameter. The vulnerable parameter is search. A patch was not available at the time of publication.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.