CVE-2026-25514
Published: 04 February 2026
Summary
CVE-2026-25514 is a high-severity Improper Input Validation (CWE-20) vulnerability in Facturascripts Facturascripts. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied parameters before concatenation into SQL queries, directly preventing the SQL injection vulnerability in CodeModel::all().
Mandates timely identification, testing, and installation of patches for the SQL injection flaw fixed in FacturaScripts version 2025.81.
Enables scanning for SQL injection vulnerabilities like CVE-2026-25514 and remediation within defined timeframes to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web-based ERP directly enables remote exploitation of public-facing application (T1190); facilitates database data collection (T1213.006) and extraction of stored credentials (T1552).
NVD Description
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings,…
more
and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81.
Deeper analysisAI
CVE-2026-25514 is a critical SQL injection vulnerability in FacturaScripts, an open-source enterprise resource planning and accounting software, affecting versions prior to 2025.81. The issue lies in the autocomplete functionality, specifically the CodeModel::all() method, where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This flaw, published on 2026-02-04, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 20 (Improper Input Validation), 89 (SQL Injection), and 943 (Improper Neutralization of Special Elements in Output).
Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables extraction of sensitive data from the database, including user credentials, configuration settings, and all stored business data, potentially leading to high impacts on confidentiality, integrity, and availability.
The vulnerability is patched in FacturaScripts version 2025.81. Mitigation involves upgrading to this version or later. Details are provided in the GitHub security advisory at https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952 and the patching commit at https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f.
Details
- CWE(s)