{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32712", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.824Z", "datePublished": "2026-04-07T20:37:30.661Z", "dateUpdated": "2026-04-08T14:32:34.191Z"}, "containers": {"cna": {"title": "Open Source Point of Sale has Stored XSS in Customer Name (Sales)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp"}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"version": "< 3.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:37:30.661Z"}, "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "source": {"advisory": "GHSA-hcfr-9hfv-mcwp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:32:23.795122Z", "id": "CVE-2026-32712", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:32:34.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32712", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:32:23.795122Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:32:29.151Z"}}], "cna": {"title": "Open Source Point of Sale has Stored XSS in Customer Name (Sales)", "source": {"advisory": "GHSA-hcfr-9hfv-mcwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"status": "affected", "version": "< 3.4.3"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:37:30.661Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32712", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:32:34.191Z", "dateReserved": "2026-03-13T14:33:42.824Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T20:37:30.661Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3."}], "id": "CVE-2026-32712", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T21:17:16.430", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opensourcepos", "source": "cna", "vendor": "opensourcepos"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-04-07T21:52:19.116911+00:00", "value": {"mitigation_remediation": ["Upgrade Open Source Point of Sale to version 3.4.3 or later as released by the vendor", "If an upgrade cannot be performed immediately, modify the application to escape or remove the customer_name field from the Daily Sales display so that it is rendered as plain text", "Consult the vendor advisory at https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp for further guidance"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows arbitrary client\u2011side code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of Open Source Point of Sale older than version 3.4.3. The affected product is the Open Source Point of Sale application offered by the opensourcepos vendor.", "description_and_impact": "Open Source Point of Sale, a PHP web application built on the CodeIgniter framework, contains a vulnerability that allows a stored cross\u2011site scripting flaw on the Daily Sales page. The customer_name field is rendered without HTML escaping, so a user with customer\u2011management privileges can insert malicious JavaScript into a customer\u2019s first or last name fields. When any user views the Daily Sales screen, the injected code executes in the victim\u2019s browser, potentially stealing credentials, defacing the interface, or facilitating other client\u2011side attacks. This weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. No public exploitation has been tracked in the CISA Known Exploited Vulnerabilities catalog and the EPSS score is not publicly available, but the attack path is straightforward: an authenticated user who can modify customer records injects script, and the code runs in the browsers of viewers of the Daily Sales page. The likely attack vector is via the web interface after the malicious data is stored in the database."}}}}, "created": "2026-04-08T19:34:17.719498+00:00", "updated": "2026-04-08T19:45:45.447285+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}