Platform
php
Component
codeigniter
Fixed in
3.4.4
CVE-2026-32712 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Open Source Point of Sale application, built using the CodeIgniter framework. This flaw allows an attacker to inject malicious JavaScript code into the customer_name field of the Daily Sales management table. The vulnerability impacts versions 1.0.0 through 3.4.2 of the application, and a fix is available in version 3.4.3.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the browsers of users who view the Daily Sales page. This could lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the application's interface, and theft of sensitive information like customer data or financial details. The impact is amplified if the Daily Sales page is frequently accessed by multiple users with different privilege levels. The attacker requires customer management permissions to inject the malicious code, but once injected, it affects all users viewing the affected page.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (POC) code has been released as of the disclosure date. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32712 is to upgrade to version 3.4.3 of the Open Source Point of Sale application. If immediate upgrading is not possible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the customername field. Specifically, the WAF should be configured to sanitize HTML entities and block JavaScript execution. Additionally, review and restrict access permissions to the customer management functionality to limit the number of potential attackers. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the customername field and verifying that it is not executed.
Update to version 3.4.3 or higher to mitigate the XSS vulnerability. The update corrects the incorrect escape configuration in the customer_name column, preventing malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32712 is a Stored Cross-Site Scripting (XSS) vulnerability in Open Source Point of Sale versions 1.0.0 through 3.4.2, allowing attackers to inject JavaScript code via the customer_name field.
You are affected if you are using Open Source Point of Sale versions 1.0.0 to 3.4.2. Upgrade to 3.4.3 to mitigate the risk.
Upgrade to version 3.4.3 of the Open Source Point of Sale application. As a temporary workaround, implement a WAF rule to sanitize HTML entities and block JavaScript execution.
There is currently no indication of active exploitation campaigns targeting this specific vulnerability.
Refer to the Open Source Point of Sale project's official channels and CodeIgniter's security advisories for updates and official guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.