Description
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions that are amplified across JOIN result sets to cause denial of service by exhausting database connections, or extract arbitrary database content through UNION-based injection techniques.
Published: 2026-06-29
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FrontAccounting versions prior to 2.4.20 contain a flaw in the Audit Trail report handler that lets an authenticated user with the SA_GLANALYTIC permission inject arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters. By using time‑based blind techniques such as SLEEP() or UNION‑based payloads the attacker can execute commands against the database, extract data, or exhaust database connections, leading to denial of service.

Affected Systems

FrontAccounting Financial Management software from the FrontAccounting vendor, specifically any installation using a version earlier than 2.4.20.

Risk and Exploitability

With a CVSS score of 7.2 the vulnerability is considered high severity. No EPSS data is available, and the issue is not listed in the CISA KEV database. Successful exploitation requires user authentication and possession of the SA_GLANALYTIC role; attackers can prolong requests to flood database connections or leverage UNION statements to pull information, making the vulnerability both impactful and exploitable in environments where the privileged role is widely distributed.

Generated by OpenCVE AI on June 29, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FrontAccounting to version 2.4.20 or later to remove the injection vulnerability.
  • Restrict the SA_GLANALYTIC permission to a minimal set of trusted users and review role assignments.
  • Audit recent audit trail analytics usage and review logs for unexpected queries or repeated SLEEP() calls as signs of exploitation; consider disabling or restricting report generation endpoints or implementing input validation.
  • As a temporary defensive measure, configure the database to limit maximum connections and enforce query timeouts to mitigate potential denial‑of‑service attacks.

Generated by OpenCVE AI on June 29, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Frontaccounting
Frontaccounting frontaccounting
Vendors & Products Frontaccounting
Frontaccounting frontaccounting

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions that are amplified across JOIN result sets to cause denial of service by exhausting database connections, or extract arbitrary database content through UNION-based injection techniques.
Title FrontAccounting < 2.4.20 SQL Injection via reporting/rep710.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Frontaccounting Frontaccounting
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T13:59:06.310Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40523

cve-icon Vulnrichment

Updated: 2026-06-29T13:58:39.480Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:00:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')