CVE-2026-32888
🟠 Łataj w tym tygodniu
Wstrzyknięcie SQL w Open Source Point of Sale umożliwia uwierzytelnionemu atakującemu wykonywanie dowolnych zapytań SQL.
CVSS
8.8
EPSS
0.0%
Exploit
poc
Vendor
opensourcepos
Opis źródłowy (NVD)
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET parameter is interpolated directly into a HAVING clause without parameterization or sanitization. This allows an authenticated attacker with basic item search permissions to execute arbitrary SQL queries. A patch did not exist at the time of publication.
exploit sql-injection
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-20 03:15:59 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 20:54:00 UTC |
Referencje
- https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hmjv-wm3j-pfhw (security-advisories@github.com) [Exploit, Vendor Advisory, Patch]