FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SAGLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions that are amplified across JOIN result sets to cause denial of service by exhausting database connections, or extract arbitrary database content through UNION-based injection techniques.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40523.json",
"cwe_ids": [
"CWE-89"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "CPE_FIELD"
},
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "DESCRIPTION"
}
],
"cna_assigner": "VulnCheck"
}