CVE-2026-25514: FacturaScripts has SQL Injection in Autocomplete Actions

February 3, 2026 (updated February 4, 2026)

FacturaScripts contains a critical SQL Injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding.

References

github.com/NeoRazorX/facturascripts
github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f
github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952
github.com/advisories/GHSA-pqqg-5f4f-8952
nvd.nist.gov/vuln/detail/CVE-2026-25514

Code Behaviors & Features

Detect and mitigate CVE-2026-25514 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →