Login Sign Up

CVE-2026-25513

8.8 HIGH
SQL Injection

📋 TL;DR

FacturaScripts contains a critical SQL injection vulnerability in its REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. This affects all API endpoints with sorting functionality in versions prior to 2025.81, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:
  • FacturaScripts
Versions: All versions prior to 2025.81
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated API access; affects all REST API endpoints with sorting functionality.

📦 What is this software?

Facturascripts by Facturascripts

View all CVEs affecting Facturascripts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration, unauthorized data modification, and potential lateral movement within the database environment.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, though some data exposure may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection through sort parameter is well-understood attack vector; exploitation requires API authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.81

Vendor Advisory: https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99

Restart Required: No

Instructions:

1. Backup your FacturaScripts installation and database. 2. Update to version 2025.81 or later via the built-in updater or manual installation. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable REST API

all

Temporarily disable the REST API to prevent exploitation while planning upgrade.

Modify configuration to disable REST API endpoints

Input Validation Filter

all

Implement input validation for sort parameters at the web server or application firewall level.

Configure WAF rules to block SQL injection patterns in sort parameters

🧯 If You Can't Patch

  • Restrict API access to trusted IP addresses only
  • Implement strict API authentication and monitor for unusual sort parameter patterns

🔍 How to Verify

Check if Vulnerable:

Check FacturaScripts version in admin panel or via version file; if version is below 2025.81, system is vulnerable.

Check Version:

Check /vendor/composer/installed.json or admin panel version display

Verify Fix Applied:

Confirm version is 2025.81 or later and test API sort functionality with malicious inputs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed sort parameter attempts
  • API requests with SQL keywords in sort parameter

Network Indicators:

  • Unusual API traffic patterns
  • SQL injection payloads in HTTP requests

SIEM Query:

source="web_logs" AND (uri_path="/api/*" AND query_string="*sort=*" AND (query_string="*SELECT*" OR query_string="*UNION*" OR query_string="*OR*"))

📊 Metadata

CVE ID: CVE-2026-25513
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
EPSS Score: 0.07% exploit probability (20.7th percentile)
Published: February 4, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25513, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)