## https://sploitus.com/exploit?id=BA5C381E-882D-5133-A105-3067A00C84CE
# CVE-2026-54596 - Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration
**Severity:** High
**Advisory:** [GHSA-f9m3-qjc9-v27j](https://github.com/itflow-org/itflow/security/advisories/GHSA-f9m3-qjc9-v27j)
**Fixed in:** Commit [7211426](https://github.com/itflow-org/itflow/commit/721142629296ac8e335a79b32fd4d2df721234a8)
**Author:** [iltosec](https://iltosec.com)
## Summary
An SQL injection vulnerability in ITFlow's recurring invoice creation endpoint allows any authenticated user with the Technician role to exfiltrate arbitrary data from the database. A Technician who has access to at least one client invoice can extract admin password hashes, SMTP credentials, and all user account data in a single HTTP request -without any admin interaction.
This is an authenticated vulnerability. The minimum required role is Technician
Full write-up: [CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration](https://iltosec.com/blog/post/CVE-2026-54596-authenticated-itflow-sqli-recurring-invoice-frequency/)
## Usage
```bash
python exploit.py http://itflow.com limiteduser@x.com 'emsJ_;PD@@;-r>4' 2 --all
```