๐Ÿ” CVE Alert

CVE-2026-35152

HIGH 8.8

Apache Fineract: SQL injection in runreports endpoint

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.

CWE CWE-89
Vendor apache software foundation
Product apache fineract
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache fineract

Be the first to know when new high vulnerabilities affecting apache software foundation apache fineract are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Fineract
0 โ‰ค 1.14.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apache/fineract/pull/5980 lists.apache.org: https://lists.apache.org/thread/d3bzcwsbywz7wg9zxvtlkvgmffqjyfn0 lists.apache.org: https://lists.apache.org/thread/658yddn0bpxqw2hpxnyk3vqd05bkchg9 openwall.com: http://www.openwall.com/lists/oss-security/2026/07/15/1

Credits

JD Security Shenyi Team ๐Ÿ” Geo Chen ๐Ÿ” Quac Tran Terence Monteiro (@terencemo) รdรกm Sรกghy (@adamsaghy) Aleksandar Vidakovic (@vidakovic)