CVE-2026-25513HIGH 8.8EPSS p37.1%

CVE-2026-25513CVE-2026-25513

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.47% probability of exploitation · percentile 37.1% · 2026-06-19T12:03:05Z
Published2026-02-04
Last modified2026-02-23

Underlying weaknesses· 4

CWE-20CWE-89CWE-943CWE-1286

References

  1. https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605
  2. https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99

4

TypeTargetConfidenceTier
WeaknessImproper Validation of Syntactic Correctness of Inputcwe-12860%live
WeaknessImproper Input Validationcwe-200%live
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live
WeaknessImproper Neutralization of Special Elements in Data Query Logiccwe-9430%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25514
CVE
CVE-2026-23997
CVE
CVE-2025-47599
CVE
CVE-2026-21630
CVE
CVE-2026-26186
CVE
CVE-2025-52040
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.