CVE-2026-25514 - Vulnerability Details

- FacturaScripts has SQL Injection vulnerability in Autocomplete Actions

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.

Published: 2026-02-04

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NeoRazorX

facturascripts

affected

Version	Status	Constraints
`< 2025.81`	affected	—

Configuration 1 [-]

cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Neorazorx	Facturascripts	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pqqg-5f4f-8952	FacturaScripts has SQL Injection in Autocomplete Actions

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952

History

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Facturascripts Facturascripts facturascripts
CPEs		cpe:2.3:a:facturascripts:facturascripts::::::::
Vendors & Products		Facturascripts Facturascripts facturascripts
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 05 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Feb 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Neorazorx Neorazorx facturascripts
Vendors & Products		Neorazorx Neorazorx facturascripts

Wed, 04 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Title		FacturaScripts has SQL Injection vulnerability in Autocomplete Actions
Weaknesses		CWE-20 CWE-89 CWE-943
References		https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Facturascripts Facturascripts

Neorazorx Facturascripts

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-04T19:59:54.847Z

Updated: 2026-02-05T14:32:26.569Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25514

Vulnrichment

Updated: 2026-02-05T14:23:09.272Z

NVD

Status : Analyzed

Published: 2026-02-04T20:16:08.113

Modified: 2026-02-23T15:00:00.237

Link: CVE-2026-25514

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-02-05T11:39:38Z

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object