CVE-2026-25514
Critical SQL Injection in FacturaScripts Autocomplete Exposes Data
Publication date: 2026-02-04
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facturascripts | facturascripts | to 2025.81 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-943 | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25514 is a critical SQL injection vulnerability in FacturaScripts, an open-source ERP and accounting software. The flaw exists in the autocomplete functionality within the CodeModel::all() method, where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding.'}, {'type': 'paragraph', 'content': "This allows authenticated attackers, regardless of their user role, to inject malicious SQL code via the 'fieldtitle' parameter. Exploiting this, attackers can extract sensitive data such as user credentials, configuration settings, business data, and more from the database."}, {'type': 'paragraph', 'content': 'The attack involves sending specially crafted POST requests to the /CopyModel endpoint with the action=autocomplete, injecting SQL payloads that the application executes and returns in JSON format, enabling data exfiltration.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete disclosure of the database contents. Attackers can access sensitive information such as user password hashes, customer information, financial records, business logic, and system configuration settings.
Because any authenticated user can exploit this flaw, it significantly increases the risk of unauthorized data access and potential data breaches.
The vulnerability also affects the confidentiality, integrity, and availability of the system, as reflected by its high CVSS v4 base score of 8.7.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for authenticated POST requests to the /CopyModel endpoint with the parameter action=autocomplete, where the fieldtitle parameter contains suspicious SQL injection payloads.'}, {'type': 'paragraph', 'content': 'An attacker sends POST requests including a valid multireqtoken and injects SQL code via the fieldtitle parameter to extract sensitive data.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can look for unusual POST requests with SQL keywords or payloads in the fieldtitle parameter in your web server logs or application logs.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: grep -i 'POST /CopyModel' /var/log/apache2/access.log | grep 'action=autocomplete'"}, {'type': 'list_item', 'content': "Searching for SQL keywords in POST data (if logs contain POST bodies): grep -iE 'union|select|concat|version\\(\\)' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Monitoring application logs for errors related to invalid field names or logged SQL errors, as the patched version logs errors when invalid parameters are detected.'}, {'type': 'paragraph', 'content': 'Additionally, automated scripts or intrusion detection systems can be configured to alert on POST requests to /CopyModel with suspicious fieldtitle values.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade FacturaScripts to version 2025.81 or later, where the vulnerability has been patched.
- If upgrading is not immediately possible, restrict access to the affected endpoints (such as /CopyModel) to trusted users only.
- Implement network-level controls such as firewall rules or web application firewall (WAF) rules to block suspicious POST requests containing SQL injection patterns targeting the autocomplete functionality.
- Monitor logs for exploitation attempts and respond accordingly.
The root cause is unsanitized user input concatenated into SQL queries. The patch includes validating field names with a strict regex and rejecting invalid parameters early, preventing SQL injection.
Therefore, applying the official patch or upgrade is the most effective mitigation.