CVE-2026-54596 - Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration

Severity: High
Advisory: GHSA-f9m3-qjc9-v27j
Fixed in: Commit 7211426
Author: iltosec

Summary

An SQL injection vulnerability in ITFlow's recurring invoice creation endpoint allows any authenticated user with the Technician role to exfiltrate arbitrary data from the database. A Technician who has access to at least one client invoice can extract admin password hashes, SMTP credentials, and all user account data in a single HTTP request -without any admin interaction.

This is an authenticated vulnerability. The minimum required role is Technician

Full write-up: CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration

Usage

python exploit.py http://itflow.com limiteduser@x.com 'emsJ_;PD@@;-r>4' 2 --all

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
README.md		README.md
exploit.py		exploit.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2026-54596 - Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration

Summary

Usage

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

CVE-2026-54596 - Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration

Summary

Usage

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages