CVE-2026-40522 | FrontAccounting before 2.4.20 contains a SQL injection vulne… | CVSS 7.1 HIGH

Description

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.

Metadata

CVE ID: CVE-2026-40522
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-04-13 20:29 UTC
Published: 2026-06-29 12:29 UTC
Last updated: 2026-06-29 13:42 UTC
Primary CWE: CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product: FrontAccounting / FrontAccounting
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
FrontAccounting	FrontAccounting	—	0 < 2.4.20, 894adaf71393e0ef6a04fe6036fcd2464050f590

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-916	cna	Use of Password Hash With Insufficient Computational Effort

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
7.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (4)