Description
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.
Published: 2026-05-27
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FacturaScripts, an open‑source accounting and invoicing platform, contains an authenticated, unrestricted file‑upload flaw in its product image upload. By uploading a PHP script that starts with a GIF89a header, an attacker can bypass the MIME‑type check and store the file with a .php extension. This allows execution of arbitrary PHP code on the server, resulting in full remote code execution by any user who can authenticate to the application.

Affected Systems

NeoRazorX FacturaScripts versions 2025.81 and earlier are affected. The vulnerability resides in the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php, which processes uploaded product images.

Risk and Exploitability

With a CVSS score of 6.3, the flaw is considered moderate severity. Exploitation requires valid credentials, making the attack vector authenticated remote, but the benefit of executing arbitrary code is significant. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers who can authenticate to the system can upload a crafted GIF that contains PHP code, thereby taking control of the application and potentially surrounding infrastructure.

Generated by OpenCVE AI on May 27, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch that updates FacturaScripts to a version later than 2025.81 as announced in the advisory.
  • Revoke or rename any .php files that have been uploaded to the product image directory to prevent execution.
  • Configure the server to reject any file uploads that do not have a strict image MIME type and ensure that uploaded files are stored with a non‑executable extension.
  • Restrict user roles so that only trusted administrators can upload product images.

Generated by OpenCVE AI on May 27, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vf3q-frmr-vrr9 FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
History

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.
Title FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Weaknesses CWE-434
CWE-94
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:29:46.718Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42879

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T19:16:18.173

Modified: 2026-05-27T19:49:48.143

Link: CVE-2026-42879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses