FacturaScripts, an open-source ERP and accounting software developed by NeoRazorX, contains a critical SQL injection vulnerability identified as CVE-2026-25514. This vulnerability exists in versions prior to 2025.81 within the autocomplete feature, specifically in the CodeModel::all() method. The root cause is improper input validation (CWE-20) combined with unsafe SQL query construction (CWE-89, CWE-943), where user-supplied parameters are directly concatenated into SQL statements without sanitization or use of parameterized queries. An attacker with valid authentication credentials can exploit this flaw to perform unauthorized SQL queries, enabling extraction of sensitive data such as user credentials, configuration settings, and all stored business data. The vulnerability requires no additional user interaction and can be exploited remotely over the network (AV:N). The CVSS 4.0 vector indicates low attack complexity, no privileges beyond authentication required, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the vulnerability poses a significant risk to organizations relying on FacturaScripts for critical business operations. The vendor has addressed the issue in version 2025.81 by implementing proper input validation and parameterized query handling.

For European organizations, exploitation of CVE-2026-25514 could lead to severe data breaches involving sensitive business and user information, potentially resulting in financial loss, reputational damage, and regulatory penalties under GDPR. The compromise of user credentials could enable further lateral movement within networks, escalating the attack impact. Integrity of financial and operational data could be undermined, affecting business continuity and decision-making. Availability may also be impacted if attackers manipulate or delete critical data. Given FacturaScripts’ use in small to medium enterprises across Europe for accounting and ERP functions, the vulnerability threatens a broad range of sectors including manufacturing, retail, and services. The high severity and ease of exploitation make timely patching essential to prevent exploitation and mitigate risks.

European organizations using FacturaScripts should immediately upgrade to version 2025.81 or later where the vulnerability is patched. Until upgrade is possible, restrict access to the FacturaScripts application to trusted users and networks only, employing network segmentation and strong authentication controls. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the autocomplete functionality. Conduct thorough audits of user privileges to minimize the number of accounts with access to the vulnerable functionality. Monitor logs for unusual database queries or access patterns indicative of exploitation attempts. Educate users about the importance of using strong, unique credentials to reduce risk from credential compromise. Finally, ensure regular backups of business data are performed and tested to enable recovery in case of data integrity or availability issues.