CVE-2026-25514

HIGH

FacturaScripts < 2025.81 - Authenticated SQL Injection via Autocomplete CodeModel::all() Method

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-25514. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for CVE-2026-25514 in FacturaScripts, targeting the autocomplete functionality via the `fieldtitle` parameter. It includes both manual CLI steps and an automated Python script to extract database information.

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.

Exploits (1)

nomisec WORKING POC

by lukasz-rybak · poc

https://github.com/lukasz-rybak/CVE-2026-25514

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for CVE-2026-25514 in FacturaScripts, targeting the autocomplete functionality via the `fieldtitle` parameter. It includes both manual CLI steps and an automated Python script to extract database information.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: FacturaScripts < 2025.81

Auth required

Prerequisites: Valid authentication credentials · Access to FacturaScripts web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952

Patch x_refsource_misc

https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-943 CWE-89

Status published

Products (2)

facturascripts/facturascripts < 2025.81

facturascripts/facturascripts 0 - 2025.81Packagist

Published Feb 04, 2026

Tracked Since Feb 18, 2026