Description
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.
Problem types
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
Any version before 2.4.20
647a18196caad27f96ea852e993c9e30f815357f (git)
Credits
Jiva (JivaSecurity)
References
jivasecurity.com/...li-journal-entries-report-cve-2026-40524
jivasecurity.com/...li-journal-entries-report-cve-2026-40524
sourceforge.net/p/frontaccounting/news/2026/04/release-2420/
github.com/...ommit/647a18196caad27f96ea852e993c9e30f815357f
www.vulncheck.com/...g-sql-injection-via-get-gl-transactions