CVE 8.7 HIGH

FacturaScripts has SQL Injection vulnerability in Autocomplete Actions_CVE-2026-25514

February 4, 2026 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.

Basic Information

ID CVE-2026-25514
Source GitHub_M
Published Feb 4, 2026 at 19:59

Affected Product

Vendor NeoRazorX
Product facturascripts
Version < 2025.81
Affected Versions NeoRazorX facturascripts < 2025.81

CWE Classification

CWE-20 CWE-89 CWE-943

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.