Skip to main content

FacturaScripts CVE-2026-27891

| EUVDEUVD-2026-30808 HIGH
Improper Input Validation (CWE-20)
2026-05-07 https://github.com/NeoRazorX/facturascripts GHSA-3pgc-xqg9-cfr6
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
May 07, 2026 - 20:00 vuln.today
Analysis Generated
May 07, 2026 - 20:00 vuln.today
CVE Published
May 07, 2026 - 19:32 nvd
HIGH 7.2

DescriptionGitHub Advisory

Summary

A Critical vulnerability exists in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory.

Details

The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder.

js
// Vulnerable logic in Plugins.php
for ($index = 0; $index < $zipFile->numFiles; $index++) {
    $data = $zipFile->statIndex($index);
    $path = explode('/', $data['name']);
    if (count($path) > 1) {
        $folders[$path[0]] = $path[0];
    }
}

An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory.

PoC

Prepare Malicious ZIP: Use a tool (like evilarc) or a script to create a ZIP file where one of the entries is named: MyPlugin/../../rce.php Inject Payload: Inside rce.php, put a simple shell: <?php system($_GET['cmd']); ?> Upload: Navigate to the "Add Plugin" section in FacturaScripts and upload the malicious ZIP. Execution: Access the shell via https://target.com/rce.php?cmd=whoami.

Impact

Confidentiality: High (Attacker can read all database configs and files). Integrity: High (Attacker can modify any file on the server). Availability: High (Attacker can delete the entire installation). > https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-27891.md

AnalysisAI

Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.

Technical ContextAI

This vulnerability affects FacturaScripts, a PHP-based open-source billing and accounting application (pkg:composer/facturascripts_facturascripts). The flaw resides in the Plugins.php file's testZipFile validation logic, which implements insufficient path traversal protection during plugin ZIP extraction. The code uses PHP's explode() function to parse file paths and verify a single root folder exists, but does not normalize or sanitize path components before extraction. This represents a classic CWE-20 (Improper Input Validation) failure pattern. The vulnerability exploits the semantic gap between path validation (which operates on split string arrays) and file extraction (which processes literal paths including '../' sequences). During extraction, the ZipArchive class writes files based on unsanitized paths, allowing directory traversal outside the intended plugins directory to any location where the web server process has write permissions.

RemediationAI

No vendor-released patch has been identified at the time of analysis according to the GitHub advisory data. The upstream repository (https://github.com/NeoRazorX/facturascripts) has published advisory GHSA-3pgc-xqg9-cfr6 acknowledging the vulnerability but no fixed version is specified in available data. Until an official patch is released, implement these compensating controls: (1) Restrict plugin installation permissions to only fully trusted administrators and audit all accounts with this capability; (2) Implement file integrity monitoring on the web root directory to detect unauthorized PHP file creation; (3) Configure web server permissions using principle of least privilege-ensure the PHP process cannot write to the web root or application base directory, only to designated upload/cache directories (note: this may break legitimate plugin installation functionality); (4) Deploy a web application firewall rule to inspect uploaded ZIP files for path traversal sequences in entry names, though this may cause false positives with legitimately complex plugin structures. Monitor the official GitHub repository and GHSA-3pgc-xqg9-cfr6 for patch availability.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-27891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy