CVE-2026-25513 in facturascripts
Summary
by MITRE • 02/04/2026
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/23/2026
This critical vulnerability in FacturaScripts represents a significant security flaw that directly impacts the integrity and confidentiality of enterprise data managed through the open-source ERP system. The vulnerability resides in the ModelClass::getOrderBy() method where the software fails to properly validate or sanitize user input before incorporating it into SQL queries. This allows authenticated API users to manipulate the sort parameter and inject malicious SQL commands that can be executed within the database context. The vulnerability affects all API endpoints that support sorting functionality, creating a broad attack surface that could potentially expose sensitive financial and business data. The issue has been addressed in version 2025.81 through proper input validation and sanitization measures.
The technical implementation of this vulnerability demonstrates a classic SQL injection flaw that aligns with CWE-89, which specifically addresses improper neutralization of special elements used in an SQL command. The root cause occurs when user-supplied data from the sort parameter is directly concatenated into the SQL ORDER BY clause without any form of input validation or parameterized query construction. This design flaw enables attackers to manipulate the database query structure and potentially execute unauthorized commands such as data extraction, modification, or deletion. The authenticated nature of the vulnerability means that an attacker must first obtain valid API credentials, but once achieved, the impact can be severe as the attacker can leverage the existing permissions to perform malicious database operations.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential complete database compromise and business disruption. An attacker with API access could extract sensitive financial information, modify transaction records, or even delete critical business data through the injected SQL commands. The vulnerability affects the core functionality of the ERP system, potentially leading to financial loss, regulatory compliance violations, and damage to business reputation. Organizations using affected versions of FacturaScripts face significant risk as the vulnerability allows for persistent access to their database through legitimate API interfaces that are typically monitored less rigorously than direct database connections.
Organizations should prioritize immediate remediation by upgrading to FacturaScripts version 2025.81 which includes proper input validation mechanisms. The fix implements proper parameterized queries and input sanitization for the sort parameter, preventing the direct concatenation of user-supplied data into SQL statements. Security teams should conduct comprehensive vulnerability assessments of all API endpoints that support sorting functionality to ensure no other similar flaws exist within the system. Additionally, organizations should implement network segmentation and monitoring of API access patterns to detect potential exploitation attempts. The vulnerability also highlights the importance of secure coding practices and regular security testing of web applications, particularly those handling sensitive business data through REST APIs. This incident serves as a reminder of the critical need for input validation and the potential consequences of failing to properly sanitize user data in database operations.