FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
References
History
Wed, 04 Feb 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81. | |
| Title | FacturaScripts has SQL Injection vulnerability in Autocomplete Actions | |
| Weaknesses | CWE-20 CWE-89 CWE-943 |
|
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-02-04T19:59:54.847Z
Reserved: 2026-02-02T18:21:42.487Z
Link: CVE-2026-25514
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-02-04T20:16:08.113
Modified: 2026-02-04T20:16:08.113
Link: CVE-2026-25514
Redhat
No data.