CVE-2026-42878 - Vulnerability Details

Description

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.

Published: 2026-05-27

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

FacturaScripts, an open source accounting solution, contains an unauthenticated vulnerability in its Installer controller that triggers a phpinfo() call when a remote attacker requests the URL path with the parameter ?phpinfo=TRUE. The resulting output exposes the full PHP configuration, server environment variables, file system paths, and loaded extensions. This disclosure can reveal database credentials, API keys, or other application secrets stored as environment variables, posing a significant confidentiality risk. The weakness is classified as CWE‑200: Information Exposure.

Affected Systems

The issue affects installations of FacturaScripts provided by NeoRazorX that run any version prior to v2026. In those deployments, the Installer controller is reachable by default and vulnerable to this parameter. Version v2026 and later include the fix that removes the ability to trigger phpinfo() through the installer.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and while EPSS data is unavailable, the lack of CISA KEV listing suggests no large‐scale exploitation has been observed to date. Attackers only need to send an unauthenticated HTTP GET request to the affected endpoint, which is commonly accessible over the Internet. Given the ease of exploitation and potential exposure of sensitive configuration data, the risk to affected systems remains high if unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NeoRazorX

facturascripts

affected

Version	Status	Constraints
`< v2026`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to FacturaScripts v2026 or later to remove the vulnerable installer endpoint and disable phpinfo() exposure.
If upgrading is not immediately possible, block or remove the '?phpinfo' query parameter in the web server configuration (e.g., via .htaccess or the application router).
Ensure that environment variables containing credentials are not exposed by PHP configuration and consider setting restrictions in php.ini (disable expose_php) to reduce information leakage.

Generated by OpenCVE AI on May 27, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vrxf-vrc4-22p7	FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7

History

Wed, 27 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.
Title		FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts
Weaknesses		CWE-200
References		https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T18:28:05.666Z

Updated: 2026-05-27T18:28:05.666Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42878

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-27T19:16:17.763

Modified: 2026-05-27T19:49:48.143

Link: CVE-2026-42878

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object