Description
FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.
Published: 2026-05-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FacturaScripts, an open source accounting solution, contains an unauthenticated vulnerability in its Installer controller that triggers a phpinfo() call when a remote attacker requests the URL path with the parameter ?phpinfo=TRUE. The resulting output exposes the full PHP configuration, server environment variables, file system paths, and loaded extensions. This disclosure can reveal database credentials, API keys, or other application secrets stored as environment variables, posing a significant confidentiality risk. The weakness is classified as CWE‑200: Information Exposure.

Affected Systems

The issue affects installations of FacturaScripts provided by NeoRazorX that run any version prior to v2026. In those deployments, the Installer controller is reachable by default and vulnerable to this parameter. Version v2026 and later include the fix that removes the ability to trigger phpinfo() through the installer.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and while EPSS data is unavailable, the lack of CISA KEV listing suggests no large‐scale exploitation has been observed to date. Attackers only need to send an unauthenticated HTTP GET request to the affected endpoint, which is commonly accessible over the Internet. Given the ease of exploitation and potential exposure of sensitive configuration data, the risk to affected systems remains high if unpatched.

Generated by OpenCVE AI on May 27, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FacturaScripts v2026 or later to remove the vulnerable installer endpoint and disable phpinfo() exposure.
  • If upgrading is not immediately possible, block or remove the '?phpinfo' query parameter in the web server configuration (e.g., via .htaccess or the application router).
  • Ensure that environment variables containing credentials are not exposed by PHP configuration and consider setting restrictions in php.ini (disable expose_php) to reduce information leakage.

Generated by OpenCVE AI on May 27, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrxf-vrc4-22p7 FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint
History

Sat, 30 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Neorazorx
Neorazorx facturascripts
Vendors & Products Neorazorx
Neorazorx facturascripts

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.
Title FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:12:12.260Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42878

cve-icon Vulnrichment

Updated: 2026-05-28T15:12:05.556Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T19:16:17.763

Modified: 2026-06-17T10:48:33.160

Link: CVE-2026-42878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:15:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor