CVE-2026-40522
Received Received - Intake

FrontAccounting SQL Injection in Bank Statement Report

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-40522
EUVD
EUVD-2026-40081

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frontaccounting frontaccounting to 2.4.20 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in FrontAccounting before version 2.4.20 allows attackers to extract sensitive personal data such as usernames, password hashes, and email addresses from the database. This unauthorized access and potential exposure of personal and credential information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches.

Specifically, the extraction of sensitive user data through the vulnerability could violate confidentiality and data protection requirements mandated by these standards, potentially resulting in legal and regulatory consequences for affected organizations.

Executive Summary

CVE-2026-40522 is a SQL injection vulnerability found in FrontAccounting versions before 2.4.20, specifically in the Bank Statement report handler (rep601.php).

Authenticated attackers with appropriate permissions can inject malicious SQL code into the PARAM_0 POST parameter, which is used directly in an unparameterized SQL WHERE clause without proper sanitization.

This injection allows attackers to execute UNION SELECT payloads to extract arbitrary data from the database, including sensitive information such as usernames, password hashes, and email addresses from the users table.

The extracted data is then rendered into the PDF report output, making the exfiltration appear as legitimate report content.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive database information, including user credentials and personal data.

Attackers can exploit the flaw to retrieve password hashes stored using weak unsalted MD5 hashing, which can be cracked easily, potentially allowing further unauthorized access to the system.

Since the extracted data is embedded in PDF reports, the attack may go unnoticed as the malicious activity appears as normal report generation.

Overall, this can compromise the confidentiality of user data and lead to further security breaches.

Detection Guidance

This vulnerability can be detected by monitoring for unusual POST requests to the Bank Statement report handler (rep601.php) that include suspicious SQL injection payloads in the PARAM_0 parameter.

Specifically, look for POST requests where PARAM_0 contains UNION SELECT statements or other SQL syntax that attempts to extract data from the users table.

You can use network monitoring tools or web server logs to identify such requests.

  • Use grep or similar tools on web server logs to find suspicious POST data, for example:
  • grep -i 'PARAM_0=.*union select' /var/log/apache2/access.log
  • Use tools like Wireshark or tcpdump to capture HTTP POST traffic and filter for suspicious SQL keywords in the PARAM_0 parameter.
  • Check application logs for unusual PDF report generation requests that may indicate data exfiltration attempts.
Mitigation Strategies

The immediate mitigation step is to upgrade FrontAccounting to version 2.4.20 or later, where this SQL injection vulnerability has been patched.

If upgrading is not immediately possible, restrict access to the Bank Statement report handler (rep601.php) to only trusted users with the SA_BANKREP permission.

Implement input validation and sanitization on the PARAM_0 POST parameter to ensure it only accepts expected integer values.

Consider applying temporary web application firewall (WAF) rules to block requests containing UNION SELECT or other SQL injection patterns targeting PARAM_0.

Review and improve password storage mechanisms by migrating from unsalted MD5 hashes to stronger algorithms like bcrypt to reduce the impact of potential data leaks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart