← back
CVE-2026-40523

FrontAccounting < 2.4.20 SQL Injection via reporting/rep710.php

CVSS 7.2 HIGHEPSS 0.3%CWE-89
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.2EPSS 0.3%KEV nãoPoC públicaNuclei Metasploit Patch referenciado
Lifecycle
29 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions that are amplified across JOIN result sets to cause denial of service by exhausting database connections, or extract arbitrary database content through UNION-based injection techniques.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →