Description
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1.
Published: 2026-05-18
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FacturaScripts versions 2026 and earlier contain a failure to sanitize file paths in uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack that writes arbitrary files outside the intended plugins directory, including overwriting PHP files executable by the web server. The result is remote code execution, with full control over the system. The weakness involves improper input validation (CWE‑20) and unrestricted uploading of archives (CWE‑434).

Affected Systems

NeoRazorX FacturaScripts, specifically the FacturaScripts application. Affected versions are 2026 and all earlier releases. The flaw is addressed in version 2026.1.

Risk and Exploitability

The vulnerability has a CVSS score of 7.2, indicating a high risk to confidentiality, integrity, and availability. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires access to the plugin upload interface, which typically requires authenticated application access. An attacker who obtains the ability to upload plugins can craft a ZIP containing a path such as "ValidPluginName/../../shell.php"; during extraction the path traversal overwrites a PHP file, allowing arbitrary code execution. The exploitation burden is relatively low because the validation logic is simple. Because of the high potential impact, rapid patching or mitigations is strongly recommended.

Generated by OpenCVE AI on May 18, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FacturaScripts to version 2026.1 or later, which includes a fix for the ZIP path validation bug.
  • Restrict the plugin upload feature to authorized administrators only, limiting the attack surface for unauthenticated users.
  • If an upgrade is not immediately possible, disable the plugin upload functionality or remove the vulnerable Plugins::add() code until the patch is applied.

Generated by OpenCVE AI on May 18, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3pgc-xqg9-cfr6 FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
History

Mon, 18 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Neorazorx
Neorazorx facturascripts
Vendors & Products Neorazorx
Neorazorx facturascripts

Mon, 18 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1.
Title Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
Weaknesses CWE-20
CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T21:16:15.240Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27891

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T22:16:38.370

Modified: 2026-05-18T22:16:38.370

Link: CVE-2026-27891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T22:30:25Z

Weaknesses