Skip to main content

FacturaScripts CVE-2026-27892

MEDIUM
Information Exposure (CWE-200)
2026-05-07 https://github.com/NeoRazorX/facturascripts GHSA-q7f2-rv22-2xgr
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 20:01 vuln.today
Analysis Generated
May 07, 2026 - 20:01 vuln.today
CVE Published
May 07, 2026 - 19:33 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

Fectura Scripts is an open-source ERP application, a sensitive information disclosure vulnerability was identified in the Library module's image upload and download pipeline. The application fails to strip EXIF and other embedded metadata from user-uploaded image files before storing them and serving them for download. As a result, any authenticated user who downloads an image from the Library can extract the original uploader's GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata.

This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access.

---

Affected Functionality Overview

Fectura Scripts exposes image upload capabilities across several modules (e.g., email composition, profile settings, etc.). During testing, the Library section was identified as the only module that provides:

  • Full image upload (unrestricted image types observed)
  • Persistent storage of uploaded files
  • Direct download capability for any authenticated user with access
  • No server-side metadata sanitization at any point in the pipeline (upload, storage, or delivery)

Other modules (e.g., email attachments) were also tested but either did not render images or had limited upload/download exposure.

---

Technical Background

What Is EXIF/Image Metadata?

Most modern image formats (JPEG, TIFF, PNG with ancillary chunks, HEIC, WebP with XMP) embed metadata automatically at creation time. This metadata can include:

Metadata CategoryExample FieldsPrivacy Risk
GPS / GeolocationGPSLatitude, GPSLongitude, GPSAltitude, GPSTimestampCritical - reveals exact physical location
Device InformationMake, Model, Software, LensModelMedium - device fingerprinting
TimestampsDateTimeOriginal, CreateDate, ModifyDateMedium - behavioral profiling
User CommentsUserComment, ImageDescription, XPComment, XPAuthorHigh - may contain names, notes, PII
ThumbnailsThumbnailImage (embedded JPEG preview)High - may preserve original uncropped image
Serial NumbersBodySerialNumber, LensSerialNumber, InternalSerialNumberMedium - unique device tracking
Network/SoftwareHostComputer, Software, ProcessingSoftwareLow-Medium - infrastructure disclosure
XMP / IPTCCreator, Rights, Description, KeywordsMedium - organizational/authorship leakage

Why This Matters in an ERP Context

ERP platforms are used by businesses with multiple employees, contractors, clients, and sometimes external partners accessing shared resources. The Library module is inherently a collaborative, shared-access feature. Any image uploaded by one party is downloadable by many others - creating a one-to-many PII exposure vector.

---

Step-by-Step Reproduction

Prerequisites

  • A valid user account with access to the Library module (tested with Admin role; lower-privilege roles should also be tested)
  • A test image file containing rich EXIF/metadata (see Step 1)
  • An EXIF analysis tool: exiftool (CLI), or any online EXIF viewer

---

Step 1: Prepare a Metadata-Rich Test Image

Create or obtain a JPEG image with embedded GPS and descriptive metadata. You can inject test metadata using exiftool:

bash
exiftool \
  -GPSLatitude="48.8566" \
  -GPSLatitudeRef="N" \
  -GPSLongitude="2.3522" \
  -GPSLongitudeRef="E" \
  -GPSAltitude="35" \
  -UserComment="Confidential: Taken at employee home address" \
  -XPAuthor="John Doe" \
  -Make="Apple" \
  -Model="iPhone 15 Pro Max" \
  -DateTimeOriginal="2025:01:15 09:30:00" \
  test_image.jpg

Verify metadata is present:

bash
exiftool test_image.jpg

Expected output should show all injected fields including GPS coordinates resolving to Paris, France (48.8566°N, 2.3522°E).

---

Step 2: Log in to Fectura Scripts

  1. Navigate to the Fectura Scripts login page.
  2. Authenticate with valid credentials.
  3. Confirm access to the application dashboard.

---

Step 3: Navigate to the Library Section

  1. From the main navigation/sidebar, click on "Library" (or equivalent menu entry).
  2. Confirm the Library module loads and displays existing files/images (if any).

---

Step 4: Upload the Test Image

  1. Click the "Upload" button/action within the Library interface.
  2. Select the prepared test_image.jpg file.
  3. Complete the upload process (fill any required fields such as title/description if prompted).
  4. Confirm the image appears in the Library listing.

---

Step 5: Download the Image (as the Same or Different User)

  1. Locate the uploaded image in the Library.
  2. Click the "Download" button/link (or right-click → Save As on the rendered image, depending on UI).
  3. Save the file locally as downloaded_image.jpg.

> Note: For stronger proof of impact, perform this step logged in as a different user account with Library access, demonstrating cross-user information leakage.

---

Step 6: Extract and Analyze Metadata from the Downloaded File

Run exiftool on the downloaded file:

bash
exiftool downloaded_image.jpg

Observed Result (Vulnerable):

GPS Latitude                    : 48 deg 51' 23.76" N
GPS Longitude                   : 2 deg 21' 7.92" E
GPS Altitude                    : 35 m
GPS Position                    : 48.8566°N, 2.3522°E
User Comment                    : Confidential: Taken at employee home address
XP Author                       : John Doe
Make                            : Apple
Model                           : iPhone 15 Pro Max
Date/Time Original              : 2025:01:15 09:30:00
...
[ALL original metadata preserved in full]

Expected Result (Secure):

All EXIF, XMP, IPTC, GPS, and comment fields should be stripped or neutralized before storage or at download time. Only essential image rendering data should remain.

---

Step 7: Confirm GPS Resolution to Physical Location

Take the extracted GPS coordinates and resolve them:

https://www.google.com/maps?q=48.8566,2.3522

This confirms the metadata resolves to a precise, real-world physical location - demonstrating the severity of the leak.

---

Root Cause Analysis

The application's image upload handler in the Library module stores the uploaded file byte-for-byte without any server-side processing to remove metadata. The download handler then serves the identical file. At no point in the pipeline is any of the following performed:

  1. EXIF stripping (e.g., via libraries like Intervention Image, Imagick::stripImage(), Python Pillow's .save() without EXIF, or jpegtran -copy none)
  2. Re-encoding / reprocessing of the image (which would naturally discard non-image data)
  3. Selective metadata whitelisting (preserving only color profile / orientation data)
  4. Content-Disposition header enforcement to prevent inline rendering with metadata intact

This is a design-level omission rather than a bypassable control - there is simply no metadata handling logic present.

---

Impact Assessment

Direct Impacts

ImpactDescriptionSeverity
Geolocation DisclosureGPS coordinates in uploaded photos can reveal home addresses, office locations, client sites, travel patterns of employeesHigh
PII LeakageAuthor names, comments, device owner names embedded in metadata expose personal identityHigh
Device FingerprintingCamera make/model, serial numbers, and software versions enable tracking and targeting of specific individuals or devicesMedium
Behavioral ProfilingTimestamps and sequential GPS data across multiple uploads can reconstruct an individual's movements and scheduleHigh
Embedded Thumbnail LeakageThumbnails may preserve the original uncropped image, potentially exposing content the user intentionally cropped out (documented in prior CVEs)Medium-High

Contextual / Escalated Impacts

  • Regulatory Exposure: GPS coordinates and author names constitute personal data under GDPR (Art. 4(1)), CCPA, and similar frameworks. Failure to strip this data from shared/downloadable resources may constitute a data protection violation for organizations using Fectura Scripts.
  • Insider Threat Amplification: A malicious insider (employee, contractor) with Library download access can silently harvest geolocation and identity data of colleagues without any logging or indication to the victim.
  • Physical Security Risk: In sectors where employee physical safety is paramount (e.g., legal, law enforcement, journalism, NGOs, domestic violence support), leaking home GPS coordinates through an ERP system represents a direct physical safety threat.
  • Supply Chain Risk: If the Library is shared with external partners/vendors, the exposure surface extends beyond the organization.

Why CVSS 6.5 Understates the Risk

The CVSS base score of 6.5 reflects the mechanical characteristics of the vulnerability (network-accessible, low complexity, authenticated). However, the contextual severity is higher because:

  1. Users have no expectation that uploading an image to an ERP system will broadcast their home coordinates.
  2. The attack is completely passive - the attacker simply downloads a file; no exploitation toolkit or special skills are required.
  3. The leaked data (GPS, PII) is irrevocable - once downloaded, the victim cannot "un-leak" their location.
  4. The vulnerability affects every image ever uploaded to the Library, creating a retroactive exposure of historical data.

Recommended effective severity: HIGH for any deployment handling real employee/client data.

---

Recommended Remediation

Immediate (Short-Term)

PriorityAction
P0Implement server-side EXIF/metadata stripping on all image uploads in the Library module before storage.
P0Retroactively strip metadata from all existing images already stored in the Library.
P1Extend metadata stripping to all other upload endpoints across the application (email attachments, profile photos, product images, etc.).

Implementation Guidance (by Language/Stack)

PHP (likely stack for Fectura Scripts):

php
// Using GD (built-in, no dependencies)
function stripMetadata($sourcePath, $destPath) {
    $image = imagecreatefromjpeg($sourcePath);
    imagejpeg($image, $destPath, 95); // Re-encodes, discarding all EXIF
    imagedestroy($image);
}

// Using Imagick (if available)
$img = new Imagick($sourcePath);
$img->stripImage(); // Removes all EXIF, IPTC, XMP profiles
$img->writeImage($destPath);

Python:

python
from PIL import Image
img = Image.open("uploaded.jpg")
data = list(img.getdata())
clean = Image.new(img.mode, img.size)
clean.putdata(data)
clean.save("clean.jpg")

Command-line (for retroactive cleanup):

bash
# Strip all metadata from all JPEGs in the library storage directory
exiftool -all= -overwrite_original /path/to/library/uploads/*.jpg

Long-Term (Architectural)

PriorityAction
P1Establish a centralized file upload processing pipeline that all modules route through, ensuring consistent sanitization.
P1Add Content Security Policy and Content-Disposition: attachment headers on all file downloads to reduce inline rendering risks.
P2Implement a configurable metadata policy (e.g., allow admins to choose between full strip, preserve orientation only, or preserve color profile).
P2Add file type validation (magic byte checking, not just extension) to the upload pipeline.
P3Consider adding a user-facing warning at upload time: "Note: Image metadata will be stripped for privacy."

---

9. References

ResourceURL
CWE-200: Exposure of Sensitive Informationhttps://cwe.mitre.org/data/definitions/200.html
CWE-212: Improper Removal of Sensitive Information Before Storage or Transferhttps://cwe.mitre.org/data/definitions/212.html
NIST NVD CVSS v3.1 Calculatorhttps://www.first.org/cvss/calculator/3.1
GDPR Art. 4(1) - Definition of Personal Datahttps://gdpr-info.eu/art-4-gdpr/
ExifTool by Phil Harveyhttps://exiftool.org/
Related CVEhttps://nvd.nist.gov/vuln/detail/CVE-2023-29850

---

11. Conclusion

The absence of image metadata sanitization in Fectura Scripts' Library module is a clear, easily exploitable, and high-impact information disclosure vulnerability. It requires no technical skill to exploit (just a file download and a free tool), it leaks data that users never intended to share (home GPS coordinates, personal identity), and it affects every image ever uploaded to the platform retroactively.

While the CVSS base score of 6.5 categorizes this as "Medium," the real-world privacy consequences - particularly under GDPR and in contexts where physical safety is relevant - warrant treating this with High urgency. The fix is straightforward, well-documented, and should be implemented immediately across all upload endpoints.

<img width="1920" height="1020" alt="image" src="https://github.com/user-attachments/assets/80cbdd80-fc80-45f2-b125-e0557e94ac40" />

<img width="1920" height="1020" alt="image" src="https://github.com/user-attachments/assets/53fd80bb-cd41-48d6-a9b8-3129f307bce6" />

AnalysisAI

FacturaScripts fails to strip EXIF and metadata from user-uploaded images in the Library module, allowing any authenticated user with download access to extract GPS coordinates, device information, timestamps, author names, and other personally identifiable information from downloaded files. An employee uploading a photo taken at their home inadvertently discloses their precise home address to all users with Library access. This affects all image uploads retroactively, with no patched version currently available.

Technical ContextAI

FacturaScripts is a PHP-based open-source ERP application (pkg:composer/facturascripts/facturascripts) that provides file upload and collaborative library functionality across multiple modules. The Library module accepts image uploads without server-side metadata sanitization. JPEG, PNG, TIFF, HEIC, and WebP images automatically embed EXIF (Exchangeable Image File Format), XMP (Extensible Metadata Platform), and IPTC metadata at creation time. This metadata includes GPS coordinates (GPSLatitude, GPSLongitude, GPSAltitude), device fingerprints (camera make/model/serial numbers), embedded comments (UserComment, ImageDescription, XPComment), author fields (XPAuthor, Creator), and thumbnail previews. The root cause (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer) is a design-level omission - the application stores uploaded files byte-for-byte without any metadata stripping at upload, storage, or download stages. No re-encoding, EXIF removal libraries (Imagick::stripImage, Intervention Image, Python Pillow), or selective metadata whitelisting is implemented anywhere in the pipeline.

RemediationAI

No vendor-released patch is currently available. Immediate remediation requires implementing server-side EXIF and metadata stripping on all image uploads before storage. For PHP environments, use GD's re-encoding (imagecreatefromjpeg + imagejpeg, which discards EXIF) or Imagick's stripImage() method. Command-line remediation for retroactively cleaning existing library files: exiftool -all= -overwrite_original /path/to/library/uploads/*.jpg. Extend metadata stripping to all upload endpoints across the application (email attachments, profile photos, product images), not just Library. Configure Content-Disposition: attachment headers and Content Security Policy to prevent inline metadata leakage during download. Implement a centralized file upload processing pipeline to ensure consistent sanitization across all modules. Monitor vendor repository (https://github.com/NeoRazorX/facturascripts) for patched release and apply immediately upon availability. As a temporary mitigation, restrict Library download access to only essential users and consider disabling image uploads in Library until a patch is deployed; note that this reduces functionality and does not address retroactive exposure of already-uploaded files.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-27892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy