Skip to main content

FrontAccounting CVE-2026-40524

| EUVDEUVD-2026-40079 HIGH
SQL Injection (CWE-89)
2026-06-29 VulnCheck GHSA-w5j4-x499-pfwp
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable with low complexity but needs the SA_GLANALYTIC privilege (PR:L); read-only blind data extraction yields C:H with no integrity or availability impact, contrary to the input's VA:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:22 vuln.today

DescriptionCVE.org

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.

AnalysisAI

SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with SA_GLANALYTIC permission
Delivery
Open GL analytics report
Exploit
Inject closing paren plus SQL into filter_type
Execution
Trigger boolean-based blind SQLi in IN() clause
Persist
Measure response-size differentials
Impact
Extract journal-entry data bit by bit

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated FrontAccounting account holding the SA_GLANALYTIC permission and access to the general-ledger analytics report that invokes get_gl_transactions(); the attacker must control the filter_type parameter, which the code passes unparameterized into a SQL IN() clause. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been granted (or has compromised an account with) the SA_GLANALYTIC permission opens the general-ledger analytics report and submits a crafted filter_type value such as a closing parenthesis followed by an injected OR/AND condition. Because the input is concatenated into the IN() clause, the application returns measurably different response sizes for true versus false conditions, letting the attacker iteratively extract journal entries and other database contents bit by bit. …
Remediation Vendor-released patch: upgrade to FrontAccounting 2.4.20 or later, which parameterizes the filter_type input; the corresponding code change is the upstream commit at https://github.com/FrontAccountingERP/FA/commit/647a18196caad27f96ea852e993c9e30f815357f and the release notes are at https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all FrontAccounting deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy