## https://sploitus.com/exploit?id=5F88E23B-F0F5-5B58-AEBA-7B3A66794AA0
# CVE-2026-25514: FacturaScripts has SQL Injection in Autocomplete Actions
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-25514 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
### Summary
**FacturaScripts contains a critical SQL Injection vulnerability in the autocomplete functionality** that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the `CodeModel::all()` method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding.
---
### Details
Multiple controllers in FacturaScripts, including `CopyModel`, `ListController`, and `PanelController`, implement an autocomplete action that processes user input through the `CodeModel::search()` or `CodeModel::all()` methods. These methods construct SQL queries by directly concatenating user-controlled parameters without an...
## Affected Products
- **facturascripts/facturascripts** (versions: < 2025.81)
## CWE Classification
- CWE-20: Improper Input Validation
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE-943: Improper Neutralization of Special Elements in Data Query Logic
## References
- https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952
- https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f
- https://nvd.nist.gov/vuln/detail/CVE-2026-25514
- https://github.com/advisories/GHSA-pqqg-5f4f-8952
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.