Description
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts' image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026.
Published: 2026-05-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue arises because the Library module stores and serves uploaded images without removing EXIF, XMP, or IPTC metadata. Any authenticated user who downloads an image can extract stored GPS coordinates, device information, timestamps, comments, and thumbnails, resulting in the disclosure of personal location data and other sensitive information. This leakage can reveal an employee’s home address or other private details to all users with download access, creating a significant privacy violation.

Affected Systems

NeoRazorX FacturaScripts, versions released before 2026, uses the Library module that allows unrestricted uploads and provides authenticated download access without sanitizing metadata. These affected releases are any builds in the FacturaScripts codebase containing that module prior to the 2026 release that implements server‑side metadata stripping.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high severity. EPSS is not available, so the exact exploitation probability is unknown but likely low to moderate; the vulnerability is also not listed in CISA KEV. The attack vector requires authenticated access; an attacker must be a legitimate user with permissions to download library images, but no additional privileges are needed. Once authenticated, the attacker can retrieve any image’s embedded metadata, leading to privacy exposure but no direct system compromise or denial of service.

Generated by OpenCVE AI on May 18, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FacturaScripts to version 2026 or later, where the Library module removes EXIF/XMP/IPTC metadata before storage and serving.
  • Restrict download permissions for the Library module to only those users who strictly need access to image files, reducing the potential audience for leaked metadata.
  • Audit and monitor user activity on the Library module, reviewing download logs for anomalous or excessive access patterns that could indicate privacy breaches.

Generated by OpenCVE AI on May 18, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q7f2-rv22-2xgr FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download
History

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Neorazorx
Neorazorx facturascripts
Vendors & Products Neorazorx
Neorazorx facturascripts

Mon, 18 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts' image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026.
Title FacturaScripts: Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download
Weaknesses CWE-200
CWE-212
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T21:51:26.139Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27892

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T22:16:38.543

Modified: 2026-05-18T22:16:38.543

Link: CVE-2026-27892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T00:00:13Z

Weaknesses