CVE-2026-31069

Name of the Vulnerable Software and Affected Versions BillaBear versions prior to Jan 2026

Description An issue exists in the EventRepository where user-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using the sprintf() function without proper sanitization or identifier quoting. While filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE ACCOUNT MANAGER permissions can exploit this to execute arbitrary SQL commands.

Recommendations Update to a version released in January 2026 or later. As a temporary workaround, restrict the use of the EventRepository or limit the permissions of users with ROLE ACCOUNT MANAGER to minimize the risk of exploitation.