CVE-2026-25514

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.81

Description FacturaScripts is enterprise resource planning and accounting software. Versions prior to 2025.81 contain a critical SQL injection issue in the autocomplete functionality. Authenticated attackers can extract sensitive data from the database, including user credentials, configuration settings, and business data. The issue is located in the CodeModel::all() method, where user-supplied parameters are directly concatenated into SQL queries without proper sanitization or parameterized binding.

Recommendations Update to version 2025.81 or later.

Exploit

Fix

SQL injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-943CWE-20

Related Identifiers

CVE-2026-25514

GHSA-PQQG-5F4F-8952

Affected Products

Facturascripts

CVE-2026-25514

Weakness Enumeration

Related Identifiers

Affected Products

References · 15