Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-45262.

Upgrade to Pro
CVE-2026-45262

FacturaScripts REST API Authenticated SQL Injection via Where::sqlColumn Parenthesis Bypass (CVE-2026-45262)

FacturaScripts prior to and including version 2026.1 contains an authenticated SQL injection vulnerability in the REST API 'filter' parameter. The Where::sqlColumn method fails to properly sanitize column/operator tokens when parentheses are used to bypass filter validation, allowing an authenticated low-privileged API user (with a valid API key) to inject arbitrary SQL via crafted filter[field][operator] query string parameters. Given CVSS 9.9 and CWE-918 (SSRF) alongside CWE-89, exploitation may extend beyond data exfiltration into internal request forgery via database-level functions (e.g., LOAD_FILE, or DB-driver network calls), enabling full compromise of the underlying MySQL/MariaDB/PostgreSQL instance and lateral movement into internal network segments reachable from the database host.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
composer
Product
facturascripts/facturascripts
Versions
<= 2026.1

Weakness (CWE)

Timeline

Disclosed
July 14, 2026

CVSS

9.9
Critical (9.0–10)

CVSS vector not yet published

Read the write-up →

What is CVE-2026-45262 FacturaScripts REST API Authenticated SQL Injection via Where::sqlColumn Parenthesis Bypass (CVE-2026-45262)?

FacturaScripts REST API Authenticated SQL Injection via Where::sqlColumn Parenthesis Bypass (CVE-2026-45262) (CVE-2026-45262) maps to the Initial Access and Collection and Exfiltration tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for FacturaScripts REST API Authenticated SQL Injection via Where::sqlColumn Parenthesis Bypass (CVE-2026-45262), covering the data sources and telemetry it touches: Azure App Service HTTP Logs, Web Application Firewall Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Collection Exfiltration
Microsoft Sentinel / Defender
kusto
let SuspiciousPatterns = dynamic(["'", "--", "/*", "UNION", "SELECT", "OR 1=1", "))", "((", "SLEEP(", "BENCHMARK("]);
AppServiceHTTPLogs
| where CsUriStem has "/api/" and CsUriStem has_any ("facturascripts", "3/")
| where CsUriQuery has "filter"
| extend DecodedQuery = url_decode(CsUriQuery)
| where DecodedQuery matches regex @"filter\[[a-zA-Z0-9_]+\]\[[a-zA-Z0-9_]*\)\(" or DecodedQuery has_any (SuspiciousPatterns)
| project TimeGenerated, CIp, CsMethod, CsUriStem, DecodedQuery, ScStatus
| order by TimeGenerated desc

Detects requests to FacturaScripts REST API endpoints where the filter[] query parameter contains parenthesis-bypass patterns or classic SQLi tokens indicative of CVE-2026-45262 exploitation.

critical severity medium confidence

Data Sources

Azure App Service HTTP Logs Web Application Firewall Logs

Required Tables

AppServiceHTTPLogs

False Positives

  • Legitimate nested filter expressions using parentheses for date range queries
  • Automated QA/regression test suites exercising the filter API with edge-case syntax
  • Security scanners performing authorized penetration testing against the API

Sigma rule & cross-platform mapping

The detection logic for FacturaScripts REST API Authenticated SQL Injection via Where::sqlColumn Parenthesis Bypass (CVE-2026-45262) (CVE-2026-45262) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Parenthesis-Bypass Filter SQLi Probe

    Expected signal: HTTP access log entry showing the encoded filter parameter with '))' and 'OR 1=1--' tokens against the /api/3/clientes endpoint.

  2. Test 2Simulate UNION SELECT Injection via Filter Parameter

    Expected signal: Web access log and database general_log entries showing a UNION SELECT statement referencing fs_users table.

  3. Test 3Simulate Time-Based Blind SQLi via SLEEP()

    Expected signal: Observable response delay (~5s) in HTTP access logs plus SLEEP( token present in the decoded filter query string.

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-45262 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections