CVE-2026-25513
published 2026-02-04CVE-2026-25513: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.47%
37.3th percentile
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facturascripts | facturascripts | < 2025.81 | 2025.81 |
| facturascripts | facturascripts | >= 0 < 2025.81 | 2025.81 |
| neorazorx | facturascripts | < 2025.81 | 2025.81 |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection via the `sort` query parameter in REST API endpoints — user-supplied sorting values are concatenated directly into the SQL ORDER BY clause without validation or sanitization ↗
- →All API endpoints supporting sorting functionality in FacturaScripts prior to version 2025.81 are affected; monitor API requests containing anomalous `sort` parameter values (e.g., SQL keywords, subqueries, UNION statements) ↗
- ·Exploitation requires authentication — only authenticated API users can trigger the SQL injection via the sort parameter ↗
- ·The vulnerability is patched in FacturaScripts version 2025.81; instances running prior versions of facturascripts/facturascripts (Composer package) remain vulnerable ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FacturaScripts has SQL Injection in API ORDER BY Clause
ghsa·2026-02-03
CVE-2026-25513 [HIGH] CWE-1286 FacturaScripts has SQL Injection in API ORDER BY Clause
FacturaScripts has SQL Injection in API ORDER BY Clause
### Summary
**FacturaScripts contains a critical SQL Injection vulnerability in the REST API** that allows authenticated API users to execute arbitrary SQL queries through the `sort` parameter. The vulnerability exists in the `ModelClass::getOrderBy()` method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects **all API endpoints** that support sorting functionality.
---
### Details
The FacturaScripts REST API exposes database models through various endpoints (e.g., `/api/3/users`, `/api/3/attachedfiles`, `/api/3/customers`). These endpoints support a `sort` parameter that allows clients to specify result ordering. The API processes this par
OSV
FacturaScripts has SQL Injection in API ORDER BY Clause
osv·2026-02-03
CVE-2026-25513 [HIGH] FacturaScripts has SQL Injection in API ORDER BY Clause
FacturaScripts has SQL Injection in API ORDER BY Clause
### Summary
**FacturaScripts contains a critical SQL Injection vulnerability in the REST API** that allows authenticated API users to execute arbitrary SQL queries through the `sort` parameter. The vulnerability exists in the `ModelClass::getOrderBy()` method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects **all API endpoints** that support sorting functionality.
---
### Details
The FacturaScripts REST API exposes database models through various endpoints (e.g., `/api/3/users`, `/api/3/attachedfiles`, `/api/3/customers`). These endpoints support a `sort` parameter that allows clients to specify result ordering. The API processes this par
No detection rules found.
No public exploits indexed.
2026-02-04
Published