Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-45262.

Upgrade to Pro
CVE-2026-45262 Splunk · SPL

Detect FacturaScripts REST API Authenticated SQL Injection via Where::sqlColumn Parenthesis Bypass (CVE-2026-45262) in Splunk

FacturaScripts prior to and including version 2026.1 contains an authenticated SQL injection vulnerability in the REST API 'filter' parameter. The Where::sqlColumn method fails to properly sanitize column/operator tokens when parentheses are used to bypass filter validation, allowing an authenticated low-privileged API user (with a valid API key) to inject arbitrary SQL via crafted filter[field][operator] query string parameters. Given CVSS 9.9 and CWE-918 (SSRF) alongside CWE-89, exploitation may extend beyond data exfiltration into internal request forgery via database-level functions (e.g., LOAD_FILE, or DB-driver network calls), enabling full compromise of the underlying MySQL/MariaDB/PostgreSQL instance and lateral movement into internal network segments reachable from the database host.

MITRE ATT&CK

Tactic
Initial Access Collection Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=web sourcetype=access_combined OR sourcetype=nginx:access uri_path="*/api/*"
| where match(uri_query, "filter\[[a-zA-Z0-9_]+\]")
| eval decoded_query=urldecode(uri_query)
| regex decoded_query="(?i)(\)\(|UNION\s+SELECT|SLEEP\(|BENCHMARK\(|OR\s+1=1|--\s|/\*)"
| table _time, clientip, method, uri_path, decoded_query, status
| sort -_time
critical severity medium confidence

Searches proxy/web access logs for FacturaScripts API filter parameters containing parenthesis-bypass or SQL injection syntax consistent with CVE-2026-45262.

Data Sources

Web Proxy LogsSplunk Stream HTTP

Required Sourcetypes

access_combinednginx:access

False Positives & Tuning

  • Analytics dashboards passing complex parenthesized filter expressions
  • Third-party integrations using legitimate compound filter logic
  • Vulnerability scanning tools probing the API with SQLi test payloads under authorization

Other platforms for CVE-2026-45262


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Parenthesis-Bypass Filter SQLi Probe

    Expected signal: HTTP access log entry showing the encoded filter parameter with '))' and 'OR 1=1--' tokens against the /api/3/clientes endpoint.

  2. Test 2Simulate UNION SELECT Injection via Filter Parameter

    Expected signal: Web access log and database general_log entries showing a UNION SELECT statement referencing fs_users table.

  3. Test 3Simulate Time-Based Blind SQLi via SLEEP()

    Expected signal: Observable response delay (~5s) in HTTP access logs plus SLEEP( token present in the decoded filter query string.

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-45262 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections