CVE-2026-25513

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.81

Description FacturaScripts, an open-source enterprise resource planning and accounting software, contains a critical SQL injection issue in its REST API. Authenticated API users can execute arbitrary SQL queries through the sort parameter. The issue resides in the getOrderBy() method of the ModelClass, where user-supplied sorting parameters are directly incorporated into the SQL ORDER BY clause without proper validation or sanitization. This impacts all API endpoints that support sorting functionality.

Recommendations Update to version 2025.81 or later.