cbcvebase.
CVE-2026-25513
published 2026-02-04

CVE-2026-25513: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.47%
37.3th percentile
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.

Affected

3 ranges
VendorProductVersion rangeFixed in
facturascriptsfacturascripts< 2025.812025.81
facturascriptsfacturascripts>= 0 < 2025.812025.81
neorazorxfacturascripts< 2025.812025.81

Detection & IOCsextracted from sources · hover to see the quote

  • SQL injection via the `sort` query parameter in REST API endpoints — user-supplied sorting values are concatenated directly into the SQL ORDER BY clause without validation or sanitization
  • All API endpoints supporting sorting functionality in FacturaScripts prior to version 2025.81 are affected; monitor API requests containing anomalous `sort` parameter values (e.g., SQL keywords, subqueries, UNION statements)
  • ·Exploitation requires authentication — only authenticated API users can trigger the SQL injection via the sort parameter
  • ·The vulnerability is patched in FacturaScripts version 2025.81; instances running prior versions of facturascripts/facturascripts (Composer package) remain vulnerable

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.