Apache Fineract
20 CVEs affecting Apache Fineract. Latest disclosed: 2025-12-12. Critical: 5, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-23538 | Critical | 9.9 | 2024-03-29 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8… |
CVE-2018-11801 | Critical | 9.8 | 2019-06-11 | SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table. |
CVE-2018-11800 | Critical | 9.8 | 2019-06-11 | SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related ta… |
CVE-2018-1290 | Critical | 9.8 | 2018-04-20 | In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can… |
CVE-2025-58130 | Critical | 9.1 | 2025-12-12 | Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12… |
CVE-2024-32838 | High | 8.8 | 2025-02-12 | SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an au… |
CVE-2022-44635 | High | 8.8 | 2022-11-29 | Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Finer… |
CVE-2018-1289 | High | 8.8 | 2018-04-20 | In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific… |
CVE-2017-5663 | High | 8.8 | 2017-12-14 | In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able… |
CVE-2024-23537 | High | 8.4 | 2024-03-29 | Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0… |
CVE-2024-23539 | High | 8.3 | 2024-03-29 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8… |
CVE-2025-58137 | High | 8.1 | 2025-12-12 | Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in v… |
CVE-2023-25195 | High | 8.1 | 2023-03-28 | Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to se… |
CVE-2018-1292 | High | 8.1 | 2018-04-20 | Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data… |
CVE-2018-1291 | High | 8.1 | 2018-04-20 | Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Pa… |
CVE-2018-20243 | High | 7.5 | 2020-10-13 | The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues… |
CVE-2020-17514 | High | 7.4 | 2021-05-27 | Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the m… |
CVE-2025-23408 | Medium | 6.5 | 2025-12-12 | Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users… |
CVE-2023-25197 | Medium | 6.3 | 2023-03-28 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized us… |
CVE-2023-25196 | Medium | 4.3 | 2023-03-28 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized us… |