CVE-2026-40522
Published: 29 June 2026
Summary
CVE-2026-40522 is a high-severity SQL Injection (CWE-89) vulnerability in Jivasecurity (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40081
Vulnerability details
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through…
more
the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection enables direct arbitrary data extraction from the backend database containing user credentials.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.
Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.
Validates query inputs to prevent SQL syntax or command manipulation.