CVE-2026-40524
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
FrontAccounting before version 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.
Risk Assessment
The organization is at risk of sensitive accounting data leakage, such as journal entries, which could lead to financial confidentiality breaches and regulatory non-compliance.
Recommendation
Immediately upgrade FrontAccounting to version 2.4.20 or later, which includes a fix that addresses the vulnerability by using parameterized SQL queries.
Original NVD description (English source)
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.

