CVE-2026-40524 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-40524

CVE-2026-40524

Published:June 29, 2026

Updated:June 29, 2026

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.

Related Resources (4)

https://www.vulncheck.com/advisories/frontaccounting-sql-injection-via-get-gl-transactions

https://github.com/FrontAccountingERP/FA/commit/647a18196caad27f96ea852e993c9e30f815357f

https://jivasecurity.com/writeups/frontaccounting-sqli-journal-entries-report-cve-2026-40524

https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/

Do you need more information?

CVSS v4

Base Score:

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89