Description
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.
Published: 2026-06-29
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FrontAccounting versions earlier than 2.4.20 allow attackers with SA_GLANALYTIC permission to perform SQL injection in the get_gl_transactions() function. The filter_type parameter is directly concatenated into a SQL IN clause, enabling boolean‑based blind injection that can extract confidential journal entries through size differentials. This flaw is a classic evidence‑based injection weakness (CWE‑89) and provides unauthorized disclosure of sensitive accounting data.

Affected Systems

All FrontAccounting installations running version 2.x prior to 2.4.20. The vendor is FrontAccounting. Users should verify that their instance does not exceed 2.4.19 and that no unpatched code remains.

Risk and Exploitability

The CVSS score of 7.2 indicates a high impact with limited required privileges. Exploitation requires an authenticated user with SA_GLANALYTIC rights, which limits the attack surface but still poses a serious threat if such permissions are mis‑assigned. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, yet the ability to disclose financial records elevates its priority for patching.

Generated by OpenCVE AI on June 29, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FrontAccounting to version 2.4.20 or later to eliminate the unsanitized SQL concatenation.
  • If a rapid upgrade is not feasible, limit the SA_GLANALYTIC permission to trusted administrators and audit its use for anomalous query patterns.
  • Implement database monitoring to detect suspicious SQL injection attempts, focusing on repeated boolean or size‑based query responses.

Generated by OpenCVE AI on June 29, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontaccounting
Frontaccounting frontaccounting
Vendors & Products Frontaccounting
Frontaccounting frontaccounting

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.
Title FrontAccounting < 2.4.20 SQL Injection via get_gl_transactions()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Frontaccounting Frontaccounting
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T12:27:26.080Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40524

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')