CVE-2025-13776

Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content. This vulnerability has been fixed in version: Finka-FK 18.5, Finka-KPR 16.6, Finka-Płace 13.4, Finka-Faktura 18.3, Finka-Magazyn 8.3, Finka-STW 12.3

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert.pl/en/posts/2026/01/CVE-2025-13776	Broken Link
https://finka.pl/	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:finka:finka-faktura::::::::
	cpe:2.3:a:finka:finka-fk::::::::
	cpe:2.3:a:finka:finka-kpr::::::::
	cpe:2.3:a:finka:finka-magazyn::::::::
	cpe:2.3:a:finka:finka-place::::::::
	cpe:2.3:a:finka:finka-stw::::::::

History

No history.

Information

Published : 2026-02-24 17:29

Updated : 2026-02-26 19:38

NVD link : CVE-2025-13776

Mitre link : CVE-2025-13776

CVE.ORG link : CVE-2025-13776

JSON object : View

Products Affected

finka

finka-faktura
finka-magazyn
finka-stw
finka-fk
finka-place
finka-kpr

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-13776", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T17:29:02.023", "references": [{"url": "https://cert.pl/en/posts/2026/01/CVE-2025-13776", "tags": ["Broken Link"], "source": "cvd@cert.pl"}, {"url": "https://finka.pl/", "tags": ["Product"], "source": "cvd@cert.pl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content.\n\nThis vulnerability has been fixed in version: Finka-FK 18.5, Finka-KPR 16.6, Finka-P\u0142ace 13.4, Finka-Faktura 18.3, Finka-Magazyn 8.3, Finka-STW 12.3"}, {"lang": "es", "value": "M\u00faltiples programas Finka usan credenciales de la base de datos Firebird almacenadas en el c\u00f3digo (compartidas entre todas las instancias de este software). Un atacante malicioso en la red local que conozca las credenciales predeterminadas es capaz de leer y editar el contenido de la base de datos.\n\nEsta vulnerabilidad ha sido corregida en la versi\u00f3n: Finka-FK 18.5, Finka-KPR 16.6, Finka-P?ace 13.4, Finka-Faktura 18.3, Finka-Magazyn 8.3, Finka-STW 12.3"}], "lastModified": "2026-02-26T19:38:41.043", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:finka:finka-faktura:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF2B0BEA-3304-43D2-8853-3D9AAAD1DC96", "versionEndExcluding": "18.3"}, {"criteria": "cpe:2.3:a:finka:finka-fk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5187EEB-FFBD-4124-97F1-972FE4084EBA", "versionEndExcluding": "18.5"}, {"criteria": "cpe:2.3:a:finka:finka-kpr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA490D51-95A8-43C6-83CD-81712060E248", "versionEndExcluding": "16.6"}, {"criteria": "cpe:2.3:a:finka:finka-magazyn:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEB36851-86B8-4C87-B9D7-AC546067E63C", "versionEndExcluding": "8.3"}, {"criteria": "cpe:2.3:a:finka:finka-place:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0931342A-0EB3-4A5B-8BF7-6127EB63B92B", "versionEndExcluding": "13.4"}, {"criteria": "cpe:2.3:a:finka:finka-stw:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A18E827-0BDD-4384-98BC-C5C3F21BECBE", "versionEndExcluding": "12.3"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}