| CVE ID | CVE-2025-13776 |
| Publication date | 24 February 2026 |
| Vendor | TIK-SOFT |
| Product | Finka-FK, Finka-KPR, Finka-Płace, Finka-Faktura, Finka-Magazyn, Finka-STW |
| Vulnerable versions | Finka-FK (<18.5) Finka-KPR (<16.6) Finka-Płace (<13.4) Finka-Faktura (<18.3) Finka-Magazyn (<8.3) Finka-STW (<12.3) |
| Vulnerability type (CWE) | Use of Hard-coded Credentials (CWE-798) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in Finka-FK, Finka-KPR, Finka-Płace, Finka-Faktura, Finka-Magazyn and Finka-STW software and participated in coordination of its disclosure.
The vulnerability CVE-2025-13776: Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content.
This vulnerability has been fixed in version:
Finka-FK 18.5
Finka-KPR 16.6
Finka-Płace 13.4
Finka-Faktura 18.3
Finka-Magazyn 8.3
Finka-STW 12.3
Credits
We thank Wojciech Żebrowski (Wern128) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.