Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in multiple Finka applications
24 February 2026 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-13776
Publication date 24 February 2026
Vendor TIK-SOFT
Product Finka-FK, Finka-KPR, Finka-Płace, Finka-Faktura, Finka-Magazyn, Finka-STW
Vulnerable versions Finka-FK (<18.5)
Finka-KPR (<16.6)
Finka-Płace (<13.4)
Finka-Faktura (<18.3)
Finka-Magazyn (<8.3)
Finka-STW (<12.3)
Vulnerability type (CWE) Use of Hard-coded Credentials (CWE-798)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in Finka-FK, Finka-KPR, Finka-Płace, Finka-Faktura, Finka-Magazyn and Finka-STW software and participated in coordination of its disclosure.

The vulnerability CVE-2025-13776: Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content.

This vulnerability has been fixed in version:

Finka-FK 18.5

Finka-KPR 16.6

Finka-Płace 13.4

Finka-Faktura 18.3

Finka-Magazyn 8.3

Finka-STW 12.3

Credits

We thank Wojciech Żebrowski (Wern128) for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.