FacturaScripts, an open-source ERP and accounting platform developed by NeoRazorX, contains a critical SQL injection vulnerability identified as CVE-2026-25513. The flaw resides in the ModelClass::getOrderBy() method, which processes the 'sort' parameter in API requests. Prior to version 2025.81, this parameter is directly concatenated into the SQL ORDER BY clause without proper validation or sanitization, violating secure coding practices and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). This allows authenticated API users to inject arbitrary SQL code, potentially leading to unauthorized data access, data modification, or disruption of database operations. The vulnerability affects all API endpoints that support sorting, broadening the attack surface. The CVSS 4.0 base score is 8.3 (high), reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality. The vulnerability does not require user interaction but does require authentication, limiting exposure to authorized users or compromised credentials. No public exploits have been reported yet, but the critical nature and ease of exploitation warrant immediate attention. The issue has been addressed in FacturaScripts version 2025.81, which implements proper input validation and sanitization to prevent SQL injection.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive financial and operational data managed within FacturaScripts. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service by corrupting database queries. Given FacturaScripts' usage among small and medium enterprises (SMEs) across Europe for accounting and ERP functions, a successful attack could disrupt business operations, cause regulatory compliance issues (e.g., GDPR violations due to data breaches), and result in financial losses. The requirement for authentication reduces the risk from external attackers but increases the threat from insider attacks or compromised credentials. Organizations relying on FacturaScripts for critical business processes may face operational downtime and reputational damage if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the urgency for patching, as attackers may develop exploits rapidly once the vulnerability is public.

European organizations should immediately upgrade FacturaScripts installations to version 2025.81 or later, which contains the patch for this SQL injection vulnerability. Until upgrades are applied, organizations should restrict API access to trusted users and networks, enforce strong authentication and credential management to prevent unauthorized access, and monitor API logs for unusual sorting parameter usage indicative of exploitation attempts. Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns in API requests can provide additional protection. Conduct thorough code reviews and penetration testing focusing on API endpoints that accept sorting parameters to identify any residual injection risks. Educate developers and administrators on secure coding practices, especially regarding input validation and sanitization. Regularly audit user privileges to minimize the number of authenticated users who can access the API. Finally, maintain up-to-date backups of critical data to enable recovery in case of data corruption or loss.