FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the getgltransactions() function where the filtertype parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SAGLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.
{
"cwe_ids": [
"CWE-89"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40524.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "CPE_FIELD"
},
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "DESCRIPTION"
}
],
"cna_assigner": "VulnCheck"
}