Description
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.
Published: 2026-02-04
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL Execution
Action: Immediate Patch
AI Analysis

Impact

FacturaScripts is an open‑source ERP system that includes a REST API where users can specify sorting of results. The vulnerability occurs in the ModelClass::getOrderBy() method, where the value supplied via the sort parameter is concatenated directly into the SQL ORDER BY clause without validation or sanitization. Because the API requires authentication, any authenticated user can supply a crafted sort string that injects arbitrary SQL. This enables execution of any SQL statement on the underlying database, giving full read/write/DDL capabilities and potentially exposing sensitive organizational data, destroying data, or disabling the application. This is a classic SQL injection (CWE‑89) compounded by disallowed input validation (CWE‑20) and unsafe use of user‑supplied sort fields (CWE‑1286).

Affected Systems

Affected vendors and products include NeoRazorX:FacturaScripts. All versions of FacturaScripts prior to 2025.81 are vulnerable, since the patch that addressed the issue was released with version 2025.81. The issue manifests in any API endpoint that accepts a sort parameter, so any installation using the REST API for sorted data retrieval is impacted.

Risk and Exploitability

With a CVSS score of 8.3, the vulnerability carries high severity, granting attackers direct control over the database through the application. The EPSS score is below 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated API user; therefore, attackers must first gain legitimate or compromised API credentials. If attackers obtain such credentials, they could execute arbitrary SQL queries, leading to data breach, corruption, or denial of service. The limited attack surface (authenticated API) and low EPSS reduce overall risk, but the potential impact remains significant.

Generated by OpenCVE AI on April 17, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FacturaScripts to version 2025.81 or later to apply the official fix.
  • Restrict API access to trusted users only and enforce strong authentication, ensuring that only authorized personnel can call endpoints with sorting functionality.
  • Add input validation or implement a whitelist for the sort parameter to allow only known safe column names and ordering directions before the query is constructed.

Generated by OpenCVE AI on April 17, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cjfx-qhwm-hf99 FacturaScripts has SQL Injection in API ORDER BY Clause
History

Mon, 23 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Facturascripts
Facturascripts facturascripts
CPEs cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*
Vendors & Products Facturascripts
Facturascripts facturascripts
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Neorazorx
Neorazorx facturascripts
Vendors & Products Neorazorx
Neorazorx facturascripts

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.
Title FacturaScripts has SQL Injection vulnerability in API ORDER BY Clause
Weaknesses CWE-1286
CWE-20
CWE-89
CWE-943
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Facturascripts Facturascripts
Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:21.989Z

Reserved: 2026-02-02T18:21:42.486Z

Link: CVE-2026-25513

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:14.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:07.973

Modified: 2026-02-23T15:02:32.667

Link: CVE-2026-25513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses