CVE-2026-32712: Point of Sale Stored XSS Vulnerability

CVE-2026-32712 Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Open Source Point of Sale (OSPOS), a web-based point-of-sale application built with PHP using the CodeIgniter framework. The vulnerability exists in the Daily Sales management table where the customer_name column is configured with escape: false in the bootstrap-table column configuration. This configuration causes customer names to be rendered as raw HTML without proper sanitization.

An attacker with customer management permissions can inject arbitrary JavaScript code into a customer's first_name or last_name field. When any user views the Daily Sales page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user.

Critical Impact

Authenticated attackers can execute arbitrary JavaScript in the browsers of users viewing the Daily Sales page, potentially compromising administrative sessions and sensitive business data.

Affected Products

• Open Source Point of Sale (OSPOS) versions prior to 3.4.3
• PHP-based CodeIgniter implementations using bootstrap-table with unsafe column configurations
• Web applications utilizing OSPOS as their point-of-sale backend

Discovery Timeline

• 2026-04-07 - CVE CVE-2026-32712 published to NVD
• 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-32712

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The root issue stems from improper output encoding in the Daily Sales management interface. The bootstrap-table JavaScript library used to render tabular data provides column configuration options, including an escape parameter that controls whether HTML entities in cell content are escaped.

In vulnerable versions of OSPOS, the customer_name column is explicitly configured with escape: false, meaning any HTML or JavaScript embedded in customer name fields will be rendered directly by the browser rather than displayed as text. This creates a persistent XSS vector since the malicious payload is stored in the database and executed every time the Daily Sales page is loaded.

The attack requires the adversary to have customer management permissions within the application. Once a malicious payload is injected into a customer record, it persists until the record is modified or deleted. This stored nature makes the vulnerability particularly dangerous as it can affect multiple users over an extended period without requiring further attacker interaction.

Root Cause

The vulnerability originates from unsafe bootstrap-table column configuration in the Daily Sales view. The customer_name column explicitly disables HTML escaping, allowing raw HTML content stored in the first_name and last_name database fields to be rendered without sanitization. This violates the principle of defense in depth, as output encoding should always be applied regardless of input validation measures.

Attack Vector

The attack exploits the network-accessible web interface and requires low privileges (customer management permissions) along with user interaction (victim must view the Daily Sales page). An attacker crafts a malicious customer record containing JavaScript in the name fields. When processed by the bootstrap-table rendering engine with escaping disabled, the JavaScript executes in the context of any user's session who views the compromised page.

For example, an attacker might create a customer with a first name containing a script tag that exfiltrates session cookies or performs actions using the victim's authenticated session. The malicious payload persists in the database, creating a stored XSS condition that affects all users who access the Daily Sales interface.

Technical details regarding the specific vulnerable code paths and exploitation techniques can be found in the GitHub Security Advisory.

Detection Methods for CVE-2026-32712

Indicators of Compromise

• Customer records containing HTML tags or JavaScript code in first_name or last_name fields
• Database entries with <script>, <img onerror=, <svg onload=, or similar XSS payload patterns in customer tables
• Unusual outbound network requests originating from user browsers when viewing the Daily Sales page
• Reports of unexpected browser behavior or pop-ups when accessing the sales management interface

Detection Strategies

• Implement database monitoring to alert on customer name fields containing HTML special characters such as <, >, ", or '
• Deploy web application firewall (WAF) rules to detect XSS payload patterns in customer creation and modification requests
• Enable Content Security Policy (CSP) violation reporting to capture attempted script execution from unauthorized sources
• Configure SentinelOne Singularity XDR to monitor for anomalous JavaScript execution patterns in browser contexts

Monitoring Recommendations

• Review audit logs for customer record modifications, particularly changes to name fields
• Monitor for unusual session activity following Daily Sales page access
• Implement real-time alerting for database queries that insert HTML or script content into customer fields
• Track and investigate any CSP violation reports related to the OSPOS application

How to Mitigate CVE-2026-32712

Immediate Actions Required

• Upgrade Open Source Point of Sale to version 3.4.3 or later immediately
• Audit existing customer records for malicious payloads in name fields and sanitize any suspicious entries
• Implement Content Security Policy headers to mitigate the impact of any undetected XSS payloads
• Review user accounts with customer management permissions and enforce principle of least privilege

Patch Information

The vulnerability has been addressed in OSPOS version 3.4.3. The fix modifies the bootstrap-table column configuration to properly escape HTML entities in the customer_name column, preventing injected scripts from executing. Organizations should upgrade to this version or apply the security patch as soon as possible.

For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

• If immediate patching is not possible, manually modify the bootstrap-table configuration to set escape: true for the customer_name column
• Implement server-side input validation to strip HTML tags from customer name fields during record creation and modification
• Deploy a web application firewall with XSS protection rules in front of the OSPOS application
• Restrict access to the Daily Sales page to essential personnel only until the patch can be applied

# Database query to identify potentially malicious customer records
mysql -u ospos_user -p ospos_database -e "SELECT id, first_name, last_name FROM ospos_customers WHERE first_name REGEXP '<[^>]+>' OR last_name REGEXP '<[^>]+>';"