CVE-2026-40523
Received Received - Intake

FrontAccounting SQL Injection in Audit Trail Report

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions that are amplified across JOIN result sets to cause denial of service by exhausting database connections, or extract arbitrary database content through UNION-based injection techniques.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-40523
EUVD
EUVD-2026-40080

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frontaccounting frontaccounting to 2.4.20 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40523 is a high-severity SQL injection vulnerability found in FrontAccounting versions before 2.4.20, specifically in the Audit Trail report handler (rep710.php).

Authenticated attackers with SA_GLANALYTIC permission can inject malicious SQL code into the PARAM_2 and PARAM_3 POST parameters because these inputs are not properly sanitized or parameterized.

The vulnerability allows attackers to perform time-based blind SQL injection using SLEEP() functions, which are amplified across multiple rows in JOIN operations, causing significant delays and potential denial of service by exhausting database connections.

Attackers can also extract arbitrary database content using UNION-based SQL injection techniques.

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker with specific permissions to execute arbitrary SQL queries on your database.

  • Denial of Service (DoS): Attackers can exploit the time-based blind SQL injection with SLEEP() functions amplified by JOIN operations to exhaust database connections, causing severe delays or outages.
  • Data Exposure: Attackers can extract sensitive or arbitrary data from your database using UNION-based SQL injection techniques.

Overall, this can lead to service disruption and unauthorized access to sensitive financial or audit data.

Detection Guidance

This vulnerability can be detected by monitoring for unusual delays or denial-of-service symptoms caused by time-based blind SQL injection attempts using SLEEP() functions amplified across JOIN result sets.

Detection can also involve checking for suspicious POST requests to the Audit Trail report handler (rep710.php) that include malicious payloads in the PARAM_2 and PARAM_3 parameters.

Example commands to detect exploitation attempts might include using web server logs or network monitoring tools to filter POST requests targeting rep710.php with suspicious parameters.

  • Using grep on web server logs to find suspicious POST requests: grep 'POST /reporting/rep710.php' /var/log/apache2/access.log | grep -E 'PARAM_2=|PARAM_3='
  • Using a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to rep710.php and inspect the payload for SQL injection patterns.
  • Monitoring database performance for unusual connection exhaustion or delays that could indicate exploitation of the time-based blind SQL injection.
Mitigation Strategies

Immediate mitigation involves updating FrontAccounting to version 2.4.20 or later, where the vulnerability has been patched by implementing proper input sanitization and escaping of user-supplied parameters.

If updating is not immediately possible, restrict access to the Audit Trail report handler (rep710.php) to trusted users only, especially those with SA_GLANALYTIC permission.

Implement network-level controls such as web application firewalls (WAF) to detect and block SQL injection attempts targeting the vulnerable parameters.

Review and apply input validation and sanitization best practices, including casting integer parameters and escaping string inputs in any custom or legacy code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40523. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart