← العودة للجدول
CVE-2026-45262
CVE-2026-45262 — FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filte
📅 2026-07-14
🔴 Critical 🔥 PoC Only GHSA Data Breach Web CVSS 9.9

📋 الوصف الكامل

## Summary > **Live PoC verified 2026-04-30** against a stock FacturaScripts master at `127.0.0.1:8081`. A scoped `ApiKey` with `fullaccess=0` and an `ApiAccess` row granting `allowget=1` on the `clientes` resource only (no other rights, no UI session, no admin) issued one `GET /api/3/clientes?filter[(0)UNION%20SELECT%20...]=` request and the response body contained the raw bcrypt hash of the

💻 الأنظمة المتأثرة

MySQL | Oracle

⚠️ نوع التهديد

Data Breach

🔗 CVE ID

CVE-2026-45262

📡 المصدر

GHSA

✅ الحلول والتخفيف

Update to v9.9

🔗 المصدر الأصلي ← 📘 NVD ← ⚡ CISA KEV ← 🔍 Valters IT ←