CVE-2026-40522 in FrontAccountinginfo

Summary

by MITRE • 06/29/2026

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

VulnCheck

Reservation

04/13/2026

Disclosure

06/29/2026

Moderation

accepted

Entry

VDB-374616

CPE

ready

CWE

CWE-89 (confirmed)

CVSS

7.1 (CNA)

EPSS

0.00000

KEV

Activities

very low

Sector

Industry, Hospital, ...

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40522
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40522
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40522/

◂ Previous Overview Next ▸

Do you know our Splunk app?

Download it now for free!