CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-40522

highCVSS 7.1covered by 1 sourcefirst seen 2026-06-29
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive information including usernames, password hashes, and email addresses from the users table, rendered into PDF report output.

⚡ Watch CVE-2026-40522

Get an email if CVE-2026-40522 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-40522

CVE.org record

Embed the live status

CVE-2026-40522 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-40522 status](https://www.csirts.com/badge/CVE-2026-40522)](https://www.csirts.com/cve/CVE-2026-40522)