Skip to main content

Frontaccounting

9 CVEs product

Monthly

CVE-2026-40521 HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP Frontaccounting
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-40522 HIGH POC PATCH This Week

SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by injecting UNION SELECT payloads into the PARAM_0 POST parameter of the Bank Statement report handler (rep601.php). Attackers with valid low-privilege accounts can dump usernames, password hashes, and email addresses from the users table, with results rendered into the generated PDF report. Publicly available exploit code exists and a vendor patch was released in 2.4.20; the flaw is not listed in CISA KEV and no active exploitation is confirmed.

SQLi Frontaccounting
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-40523 HIGH POC PATCH This Week

SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. Publicly available exploit code exists (VulnCheck/Jiva Security writeup), but the issue is not in CISA KEV, so it is no public exploit identified as actively exploited.

SQLi Denial Of Service Frontaccounting
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-40524 HIGH POC PATCH This Week

SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. Publicly available exploit code exists and a vendor patch shipped in 2.4.20, though there is no public exploit identified as actively exploited.

SQLi Frontaccounting
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2020-21244 MEDIUM POC This Month

An issue was discovered in FrontAccounting 2.4.7. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Frontaccounting
NVD GitHub
CVSS 3.1
4.9
EPSS
1.0%
CVE-2019-5720 CRITICAL POC Act Now

includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Frontaccounting
NVD GitHub
CVSS 3.0
9.8
EPSS
1.5%
CVE-2018-1000890 HIGH POC This Week

FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Frontaccounting
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
1.8%
CVE-2018-7176 HIGH POC This Week

FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Frontaccounting
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
2.4%
CVE-2014-3973 HIGH POC PATCH This Week

Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Frontaccounting
NVD
CVSS 2.0
7.5
EPSS
0.4%
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by injecting UNION SELECT payloads into the PARAM_0 POST parameter of the Bank Statement report handler (rep601.php). Attackers with valid low-privilege accounts can dump usernames, password hashes, and email addresses from the users table, with results rendered into the generated PDF report. Publicly available exploit code exists and a vendor patch was released in 2.4.20; the flaw is not listed in CISA KEV and no active exploitation is confirmed.

SQLi Frontaccounting
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. Publicly available exploit code exists (VulnCheck/Jiva Security writeup), but the issue is not in CISA KEV, so it is no public exploit identified as actively exploited.

SQLi Denial Of Service Frontaccounting
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. Publicly available exploit code exists and a vendor patch shipped in 2.4.20, though there is no public exploit identified as actively exploited.

SQLi Frontaccounting
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC This Month

An issue was discovered in FrontAccounting 2.4.7. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Frontaccounting
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Frontaccounting
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Frontaccounting
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Frontaccounting
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Frontaccounting
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy