CVE-2026-35152
Apache Fineract: SQL injection in runreports endpoint
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.
| CWE | CWE-89 |
| Vendor | apache software foundation |
| Product | apache fineract |
| Published | Jul 15, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache fineract
Be the first to know when new high vulnerabilities affecting apache software foundation apache fineract are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Apache Software Foundation / Apache Fineract
0 โค 1.14.0
References
Credits
JD Security Shenyi Team ๐ Geo Chen ๐ Quac Tran Terence Monteiro (@terencemo) รdรกm Sรกghy (@adamsaghy) Aleksandar Vidakovic (@vidakovic)