CVE-2026-40524

Name of the Vulnerable Software and Affected Versions FrontAccounting versions prior to 2.4.20

Description An issue exists in the get gl transactions() function where the filter type parameter is concatenated directly into a SQL IN() clause without parameterization. This allows users with SA GLANALYTIC permissions to perform boolean-based blind SQL injection—a technique used to extract data by observing differences in server responses to true or false queries—by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data.

Recommendations Update FrontAccounting to version 2.4.20 or later. As a temporary workaround, restrict the SA GLANALYTIC permission to trusted users only.