CVE-2026-40522
FrontAccounting < 2.4.20 SQL Injection via rep601.php
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.
| CWE | CWE-89 CWE-916 |
| Vendor | frontaccounting |
| Product | frontaccounting |
| Published | Jun 29, 2026 |
| Last Updated | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for frontaccounting frontaccounting
Be the first to know when new high vulnerabilities affecting frontaccounting frontaccounting are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
FrontAccounting / FrontAccounting
0 < 2.4.20
References
jivasecurity.com: https://jivasecurity.com/writeups/frontaccounting-sqli-bank-statement-report-cve-2026-40522 sourceforge.net: https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/ github.com: https://github.com/FrontAccountingERP/FA/commit/894adaf71393e0ef6a04fe6036fcd2464050f590 vulncheck.com: https://www.vulncheck.com/advisories/frontaccounting-sql-injection-via-rep601-php
Credits
Jiva (JivaSecurity)