Description
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.
Published: 2026-06-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FrontAccounting before version 2.4.20 is vulnerable to SQL injection in the Bank Statement report handler (rep601.php). By injecting UNION SELECT code into the PARAM_0 POST parameter, an authenticated user can embed arbitrary SQL in an unparameterized WHERE clause. This allows extraction of sensitive information, including usernames, password hashes, and email addresses, which is then rendered into a PDF report output.

Affected Systems

The affected product is FrontAccounting for versions earlier than 2.4.20. Customers using FrontAccounting 2.4.19 or older are exposed. The newer release 2.4.20 incorporates a fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity vulnerability. No EPSS score is published, and the issue is not listed in the CISA KEV catalog, suggesting a lower known exploitation probability. However, the flaw requires authenticated access, and attackers can harvest database contents once authenticated, which remains a serious risk in environments where user credentials are shared or weak.

Generated by OpenCVE AI on June 29, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FrontAccounting to version 2.4.20 or later to apply the vendor patch.
  • Ensure that the Bank Statement report (rep601.php) is only accessible to users with the minimum necessary permissions.
  • Verify that input handling for PARAM_0 is parameterized or otherwise sanitized on the server side; if not, manually review and modify the query logic to prevent raw SQL concatenation.

Generated by OpenCVE AI on June 29, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontaccounting
Frontaccounting frontaccounting
Vendors & Products Frontaccounting
Frontaccounting frontaccounting

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.
Title FrontAccounting < 2.4.20 SQL Injection via rep601.php
Weaknesses CWE-89
CWE-916
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Frontaccounting Frontaccounting
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T13:42:36.862Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40522

cve-icon Vulnrichment

Updated: 2026-06-29T13:42:28.003Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-916

    Use of Password Hash With Insufficient Computational Effort