How to fix CVE-2026-32888?

Within 24 hours: Disable custom attribute search functionality in POS configuration and audit recent access logs for suspicious search queries. Within 7 days: Implement Web Application Firewall rules to block SQL injection patterns in search parameters and conduct inventory of all affected systems. Within 30 days: Evaluate alternative POS solutions or request timeline from vendor for patched release; if remaining on current version, establish compensating controls including database activity monitoring and principle of least privilege for POS service accounts.

Is PHP affected by CVE-2026-32888?

Open Source Point of Sale systems up to version 3.4.1 contain a high-severity SQL injection vulnerability that allows authenticated users to bypass access controls and extract sensitive data from the database.

CVE-2026-32888

EUVD-2026-13498 HIGH

2026-03-20 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 08:37 vuln.today

EUVD ID Assigned

Mar 20, 2026 - 08:37 euvd

EUVD-2026-13498

CVE Published

Mar 20, 2026 - 03:15 nvd

HIGH 8.8

Description

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.

Analysis

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. …

Remediation

Within 24 hours: Disable custom attribute search functionality in POS configuration and audit recent access logs for suspicious search queries. Within 7 days: Implement Web Application Firewall rules to block SQL injection patterns in search parameters and conduct inventory of all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-32888 vulnerability details – vuln.today

Back

CVE-2026-32888

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-32888

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code