Cyber Resilience

CVE-2026-25514

HighPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25514 is a high-severity Improper Input Validation (CWE-20) vulnerability in Facturascripts Facturascripts. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25514 is a critical SQL injection vulnerability in FacturaScripts, an open-source enterprise resource planning and accounting software, affecting versions prior to 2025.81. The issue lies in the autocomplete functionality, specifically the CodeModel::all() method, where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This flaw, published on 2026-02-04, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 20 (Improper Input Validation), 89 (SQL Injection), and 943 (Improper Neutralization of Special Elements in Output).

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables extraction of sensitive data from the database, including user credentials, configuration settings, and all stored business data, potentially leading to high impacts on confidentiality, integrity, and availability.

The vulnerability is patched in FacturaScripts version 2025.81. Mitigation involves upgrading to this version or later. Details are provided in the GitHub security advisory at https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952 and the patching commit at https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings,…

more

and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

SQL injection in web-based ERP directly enables remote exploitation of public-facing application (T1190); facilitates database data collection (T1213.006) and extraction of stored credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25513Same product: Facturascripts Facturascripts
CVE-2026-23997Same product: Facturascripts Facturascripts
CVE-2026-34385Shared CWE-89
CVE-2025-55444Shared CWE-20, CWE-89
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89

Affected Assets

facturascripts
facturascripts
≤ 2025.81

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied parameters before concatenation into SQL queries, directly preventing the SQL injection vulnerability in CodeModel::all().

prevent

Mandates timely identification, testing, and installation of patches for the SQL injection flaw fixed in FacturaScripts version 2025.81.

detectrespond

Enables scanning for SQL injection vulnerabilities like CVE-2026-25514 and remediation within defined timeframes to prevent exploitation.

References