Home

Description

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.

PUBLISHED Reserved 2026-04-13 | Published 2026-06-29 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
affected

Any version before 2.4.20
affected

647a18196caad27f96ea852e993c9e30f815357f (git)
unaffected

Credits

Jiva (JivaSecurity) finder

References

jivasecurity.com/...li-journal-entries-report-cve-2026-40524 exploit

jivasecurity.com/...li-journal-entries-report-cve-2026-40524 technical-description exploit

sourceforge.net/p/frontaccounting/news/2026/04/release-2420/ release-notes

github.com/...ommit/647a18196caad27f96ea852e993c9e30f815357f patch

www.vulncheck.com/...g-sql-injection-via-get-gl-transactions third-party-advisory

cve.org (CVE-2026-40524)

nvd.nist.gov (CVE-2026-40524)

Download JSON