Description
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
Published: 2026-05-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper validation flaw in FacturaScripts allows an authenticated user to alter the nick parameter in the EditUser controller. The nick field is intended to be immutable, and changing it can rename any account, including the administrator account. This flaw, classified as CWE-472, provides attackers with the ability to impersonate users or undermine account integrity, potentially leading to further exploitation depending on associated permissions.

Affected Systems

The vulnerability affects NeoRazorX FacturaScripts, specifically versions 2025.92 and earlier. It applies to the open‑source accounting and invoicing application where the EditUser controller processes POST requests containing a nick form‑data parameter.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and EPSS is not available while the vulnerability is not listed in CISA KEV. The likely attack path involves intercepting or forging a POST request to the EditUser endpoint; an authenticated user with permissions to edit users can modify the nick field. Attackers must already be logged in and have necessary edit rights, but the ability to rename an administrator account can lead to higher privilege access if the system trusts the nick field for authentication or authorization checks.

Generated by OpenCVE AI on May 5, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FacturaScripts to a version released after 2025.92 that includes a validation check on the nick field.
  • Restrict or remove EditUser controller access for non‑administrative users to prevent unauthorized modifications.
  • Implement server‑side validation that rejects changes to the nick parameter unless explicitly allowed by system policy, following the guidance of CWE-472 to enforce immutable fields.

Generated by OpenCVE AI on May 5, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pp79-hqv6-vmc3 FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field
History

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Neorazorx
Neorazorx facturascripts
Vendors & Products Neorazorx
Neorazorx facturascripts

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
Title FacturaScripts unauthorized modification of immutable nick field via EditUser controller
Weaknesses CWE-472
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:44:45.408Z

Reserved: 2026-03-13T14:33:42.823Z

Link: CVE-2026-32699

cve-icon Vulnrichment

Updated: 2026-05-05T19:44:14.602Z

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:35.693

Modified: 2026-05-05T20:16:35.693

Link: CVE-2026-32699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:00:09Z

Weaknesses