THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-5qmh-x653-g8qj (critical) — FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`

[GHSA] GHSA-5qmh-x653-g8qj (critical) — FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`

highgithub_advisoriesPublished 2026-07-14

GHSA-5qmh-x653-g8qj Severity: critical CVE: CVE-2026-45262

FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`

## Summary

> **Live PoC verified 2026-04-30** against a stock FacturaScripts master at `127.0.0.1:8081`. A scoped `ApiKey` with `fullaccess=0` and an `ApiAccess` row granting `allowget=1` on the `clien

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-5qmh-x653-g8qj