CVE-2026-25514 - Vulnerability Details

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NeoRazorX

facturascripts

affected

Version	Status	Constraints
`< 2025.81`	affected	—

No data.

Project Subscriptions

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-pqqg-5f4f-8952	FacturaScripts has SQL Injection in Autocomplete Actions

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952

History

Wed, 04 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Title		FacturaScripts has SQL Injection vulnerability in Autocomplete Actions
Weaknesses		CWE-20 CWE-89 CWE-943
References		https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-04T19:59:54.847Z

Updated: 2026-02-04T19:59:54.847Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25514

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-04T20:16:08.113

Modified: 2026-02-04T20:16:08.113

Link: CVE-2026-25514

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object