CVE-2026-32712 Overview
CVE-2026-32712 is a stored Cross-Site Scripting (XSS) vulnerability in Open Source Point of Sale, a web-based PHP point-of-sale application built on the CodeIgniter framework. The flaw resides in the Daily Sales management table, where the customer_name column is configured with escape: false in the bootstrap-table column configuration. This causes customer names to render as raw HTML in the browser. An authenticated attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field. The payload executes for any user who views the Daily Sales page. The issue is tracked under [CWE-79] and is fixed in version 3.4.3.
Critical Impact
Authenticated attackers with customer management rights can execute arbitrary JavaScript in the browsers of other Open Source Point of Sale users viewing the Daily Sales page, enabling session theft and unauthorized actions.
Affected Products
- Open Source Point of Sale versions prior to 3.4.3
- Deployments using the Daily Sales management table
- Installations where customer management permissions are delegated to non-administrative users
Discovery Timeline
- 2026-04-07 - CVE-2026-32712 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-32712
Vulnerability Analysis
The vulnerability stems from unsafe rendering of user-controlled data in the Daily Sales bootstrap-table view. Open Source Point of Sale uses the bootstrap-table JavaScript library to present tabular sales data. Column definitions in bootstrap-table support an escape property that controls HTML entity encoding. The customer_name column sets escape: false, instructing the library to inject the field value into the DOM as raw HTML. Customer name values originate from the first_name and last_name fields submitted through the customer management interface. The application does not strip or encode HTML during input or output for these fields. Any user with permission to create or edit customers can persist a JavaScript payload that activates whenever staff view the Daily Sales report.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The combination of escape: false in the column definition and the absence of server-side or template-level output encoding allows raw HTML and script tags stored in customer name fields to reach the rendered page intact.
Attack Vector
Exploitation requires network access to the application and authenticated access with customer management privileges. User interaction is needed because a separate user must load the Daily Sales page for the payload to fire. The scope is changed because injected scripts execute in the victim's browser context and can act on behalf of higher-privileged users, including administrators viewing the same report.
The vulnerability is described in prose only because no verified proof-of-concept code is published. Refer to the GitHub Security Advisory GHSA-hcfr-9hfv-mcwp for vendor technical details.
Detection Methods for CVE-2026-32712
Indicators of Compromise
- Customer records containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...> in the first_name or last_name columns of the database.
- Outbound HTTP requests from staff browser sessions to unexpected domains shortly after loading the Daily Sales page.
- Unexpected session token or cookie exfiltration patterns originating from authenticated POS users.
Detection Strategies
- Query the customers table for non-alphanumeric characters such as <, >, and = in name fields to surface stored payloads.
- Review web server access logs for POST requests to customer create or update endpoints containing URL-encoded HTML control characters.
- Inspect bootstrap-table column configurations in custom forks for additional uses of escape: false that could harbor similar issues.
Monitoring Recommendations
- Enable a Content Security Policy (CSP) in report-only mode and monitor violation reports for inline script execution on POS pages.
- Audit the Open Source Point of Sale audit log for customer record edits made by accounts that rarely manage customers.
- Alert on browser console errors or CSP violations generated by staff workstations during normal POS use.
How to Mitigate CVE-2026-32712
Immediate Actions Required
- Upgrade Open Source Point of Sale to version 3.4.3 or later, which contains the official fix.
- Review and sanitize existing customer records by removing HTML markup from first_name and last_name fields before upgrading.
- Restrict customer management permissions to trusted personnel and revoke the privilege from unnecessary accounts.
Patch Information
The maintainers released a fix in Open Source Point of Sale 3.4.3. The patch addresses the rendering behavior of the customer_name column in the Daily Sales table. Details are documented in the GitHub Security Advisory GHSA-hcfr-9hfv-mcwp.
Workarounds
- Modify the Daily Sales bootstrap-table configuration to set escape: true on the customer_name column until the upgrade is applied.
- Enforce a strict Content Security Policy that disallows inline scripts to limit payload execution.
- Add server-side input validation that rejects HTML control characters in customer name fields.
# Configuration example: enforce HTML escaping for the customer_name column
# Locate the Daily Sales table column definition and change escape: false to escape: true
# Example replacement in the relevant view/JS file:
# { field: 'customer_name', title: 'Customer', escape: true }
grep -RIn "escape: false" /var/www/opensourcepos/public/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
