Description
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Published: 2026-02-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated data exfiltration via SQL injection
Action: Patch today
AI Analysis

Impact

FacturaScripts prior to 2025.81 has a SQL injection flaw in its autocomplete feature. An attacker who can log into the application can supply crafted input that is directly concatenated into a SQL query. This lets the attacker read arbitrary database contents, including usernames, passwords, system settings, and all business records.

Affected Systems

NeoRazorX’s FacturaScripts, an open‑source ERP and accounting solution. Any installation running a version older than 2025.81 is vulnerable. The defect is in the CodeModel::all() method used by the autocomplete feature and is addressed in release 2025.81.

Risk and Exploitability

The flaw has an 8.7 CVSS score, indicating high severity and the potential for significant impact. Its EPSS score is below 1%, suggesting a low overall exploitation probability at the moment. It is not currently listed in the CISA KEV catalog. Because the injection requires an authenticated session, the attack vector is internal or requires legitimate access. A successful exploitation would give complete read‑only access to the database, permitting a threat actor to steal sensitive credentials, configuration data, and business information.

Generated by OpenCVE AI on April 17, 2026 at 23:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 2025.81 patch to all affected installations immediately.
  • If patching is delayed, disable or restrict the autocomplete feature to prevent user input from reaching the database query layer.
  • Ensure the database user account used by FacturaScripts has the minimum privileges necessary (read‑only if possible) to mitigate damage if the vulnerability is exploited.
  • Deploy a web application firewall or similar input validation layer to detect and block malformed queries and other injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 23:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pqqg-5f4f-8952 FacturaScripts has SQL Injection in Autocomplete Actions
History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Facturascripts
Facturascripts facturascripts
CPEs cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*
Vendors & Products Facturascripts
Facturascripts facturascripts
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Neorazorx
Neorazorx facturascripts
Vendors & Products Neorazorx
Neorazorx facturascripts

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Title FacturaScripts has SQL Injection vulnerability in Autocomplete Actions
Weaknesses CWE-20
CWE-89
CWE-943
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Facturascripts Facturascripts
Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:26.569Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25514

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:09.272Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:08.113

Modified: 2026-02-23T15:00:00.237

Link: CVE-2026-25514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses