Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25514 is a critical SQL injection vulnerability in FacturaScripts, an open-source ERP and accounting software. The flaw exists in the autocomplete functionality within the CodeModel::all() method, where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding.'}, {'type': 'paragraph', 'content': "This allows authenticated attackers, regardless of their user role, to inject malicious SQL code via the 'fieldtitle' parameter. Exploiting this, attackers can extract sensitive data such as user credentials, configuration settings, business data, and more from the database."}, {'type': 'paragraph', 'content': 'The attack involves sending specially crafted POST requests to the /CopyModel endpoint with the action=autocomplete, injecting SQL payloads that the application executes and returns in JSON format, enabling data exfiltration.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete disclosure of the database contents. Attackers can access sensitive information such as user password hashes, customer information, financial records, business logic, and system configuration settings.

Because any authenticated user can exploit this flaw, it significantly increases the risk of unauthorized data access and potential data breaches.

The vulnerability also affects the confidentiality, integrity, and availability of the system, as reflected by its high CVSS v4 base score of 8.7.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for authenticated POST requests to the /CopyModel endpoint with the parameter action=autocomplete, where the fieldtitle parameter contains suspicious SQL injection payloads.'}, {'type': 'paragraph', 'content': 'An attacker sends POST requests including a valid multireqtoken and injects SQL code via the fieldtitle parameter to extract sensitive data.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can look for unusual POST requests with SQL keywords or payloads in the fieldtitle parameter in your web server logs or application logs.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: grep -i 'POST /CopyModel' /var/log/apache2/access.log | grep 'action=autocomplete'"}, {'type': 'list_item', 'content': "Searching for SQL keywords in POST data (if logs contain POST bodies): grep -iE 'union|select|concat|version\\(\\)' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Monitoring application logs for errors related to invalid field names or logged SQL errors, as the patched version logs errors when invalid parameters are detected.'}, {'type': 'paragraph', 'content': 'Additionally, automated scripts or intrusion detection systems can be configured to alert on POST requests to /CopyModel with suspicious fieldtitle values.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade FacturaScripts to version 2025.81 or later, where the vulnerability has been patched.
• If upgrading is not immediately possible, restrict access to the affected endpoints (such as /CopyModel) to trusted users only.
• Implement network-level controls such as firewall rules or web application firewall (WAF) rules to block suspicious POST requests containing SQL injection patterns targeting the autocomplete functionality.
• Monitor logs for exploitation attempts and respond accordingly.

The root cause is unsanitized user input concatenated into SQL queries. The patch includes validating field names with a strict regex and rejecting invalid parameters early, preventing SQL injection.

Therefore, applying the official patch or upgrade is the most effective mitigation.

Useful 0 Not Useful 0