CVE Catalog

CVE-2026-40524

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

FrontAccounting before version 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.

Risk Assessment

The organization is at risk of sensitive accounting data leakage, such as journal entries, which could lead to financial confidentiality breaches and regulatory non-compliance.

Recommendation

Immediately upgrade FrontAccounting to version 2.4.20 or later, which includes a fix that addresses the vulnerability by using parameterized SQL queries.

Original NVD description (English source)

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS