CVE-2026-25514
📋 TL;DR
FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data including user credentials, configuration settings, and all business data. This affects all FacturaScripts installations prior to version 2025.81 where users have authenticated access.
💻 Affected Systems
- FacturaScripts
📦 What is this software?
Facturascripts by Facturascripts
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, financial data exposure, and potential lateral movement to other systems.
Likely Case
Unauthorized access to sensitive business data, customer information, and financial records stored in the database.
If Mitigated
Limited data exposure if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. Requires authenticated access but exploitation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.81
Vendor Advisory: https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952
Restart Required: Yes
Instructions:
1. Backup your FacturaScripts installation and database. 2. Download version 2025.81 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the web server service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for autocomplete parameters to reject suspicious characters
Modify CodeModel::all() method to sanitize user input before SQL query construction
Web Application Firewall
allDeploy WAF with SQL injection protection rules
🧯 If You Can't Patch
- Implement network segmentation to restrict database access from application servers
- Enable database auditing and monitor for unusual SQL query patterns
🔍 How to Verify
Check if Vulnerable:
Check FacturaScripts version in admin panel or by examining source files. Versions below 2025.81 are vulnerable.Check Version:
Check the version.php file or admin dashboard for version informationVerify Fix Applied:
Verify installation is version 2025.81 or later and test autocomplete functionality with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple autocomplete requests with SQL-like syntax
- Failed login attempts followed by autocomplete requests
Network Indicators:
- HTTP POST requests to autocomplete endpoints containing SQL keywords
- Unusual database connection patterns from application servers
SIEM Query:
source="web_logs" AND (uri="*autocomplete*" AND (query="*SELECT*" OR query="*UNION*" OR query="*FROM*"))