## https://sploitus.com/exploit?id=DA27B9A6-C321-5BB6-8030-42C8E8069D92
# CVE-2026-25513: FacturaScripts has SQL Injection in API ORDER BY Clause
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-25513 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
### Summary
**FacturaScripts contains a critical SQL Injection vulnerability in the REST API** that allows authenticated API users to execute arbitrary SQL queries through the `sort` parameter. The vulnerability exists in the `ModelClass::getOrderBy()` method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects **all API endpoints** that support sorting functionality.
---
### Details
The FacturaScripts REST API exposes database models through various endpoints (e.g., `/api/3/users`, `/api/3/attachedfiles`, `/api/3/customers`). These endpoints support a `sort` parameter that allows clients to specify result ordering. The API processes this parameter through the `ModelClass::all()` method, which call...
## Affected Products
- **facturascripts/facturascripts** (versions: < 2025.81)
## CWE Classification
- CWE-20: Improper Input Validation
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE-943: Improper Neutralization of Special Elements in Data Query Logic
- CWE-1286: Improper Validation of Syntactic Correctness of Input
## References
- https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99
- https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605
- https://nvd.nist.gov/vuln/detail/CVE-2026-25513
- https://github.com/advisories/GHSA-cjfx-qhwm-hf99
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.