Cyber Resilience

CVE-2026-25513

HighPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25513 is a high-severity Improper Input Validation (CWE-20) vulnerability in Facturascripts Facturascripts. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25513 is a critical SQL injection vulnerability in FacturaScripts, an open-source enterprise resource planning and accounting software. Affecting versions prior to 2025.81, the flaw resides in the ModelClass::getOrderBy() method of the REST API, where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without proper validation or sanitization. This issue impacts all API endpoints that support sorting functionality, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWEs-20 (Improper Input Validation), CWE-89 (SQL Injection), CWE-943 (Improper Neutralization of Special Elements in Output), and CWE-1286 (Improper Validation of Syntactic Correctness of Input).

An authenticated API user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious value for the sort parameter in API requests to affected endpoints, attackers can inject and execute arbitrary SQL queries, potentially leading to high confidentiality, integrity, and availability impacts such as unauthorized data access, modification, or deletion from the underlying database.

The vulnerability has been addressed in FacturaScripts version 2025.81. Security practitioners should upgrade to this patched version immediately. Detailed patch information is available in the GitHub commit at https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605, and further guidance is provided in the GitHub security advisory at https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability…

more

exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in exposed REST API directly enables remote exploitation of a public-facing application (T1190) by low-privileged authenticated users, resulting in arbitrary database queries with high CIA impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25514Same product: Facturascripts Facturascripts
CVE-2026-23997Same product: Facturascripts Facturascripts
CVE-2025-27378Shared CWE-20, CWE-89
CVE-2026-3023Shared CWE-89, CWE-943
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89

Affected Assets

facturascripts
facturascripts
≤ 2025.81

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates validation and sanitization of user-supplied inputs like the sort parameter to directly prevent SQL injection in the ModelClass::getOrderBy() method.

prevent

Requires timely identification, reporting, and correction of flaws such as this SQL injection vulnerability by applying the patch in version 2025.81.

prevent

Enforces restrictions on information inputs, such as allowlisting valid sort fields, to block malicious SQL payloads in API requests.

References