Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A Critical vulnerability exists in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory.
Details
The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder.
// Vulnerable logic in Plugins.php
for ($index = 0; $index < $zipFile->numFiles; $index++) {
$data = $zipFile->statIndex($index);
$path = explode('/', $data['name']);
if (count($path) > 1) {
$folders[$path[0]] = $path[0];
}
}An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory.
PoC
Prepare Malicious ZIP: Use a tool (like evilarc) or a script to create a ZIP file where one of the entries is named: MyPlugin/../../rce.php Inject Payload: Inside rce.php, put a simple shell: <?php system($_GET['cmd']); ?> Upload: Navigate to the "Add Plugin" section in FacturaScripts and upload the malicious ZIP. Execution: Access the shell via https://target.com/rce.php?cmd=whoami.
Impact
Confidentiality: High (Attacker can read all database configs and files). Integrity: High (Attacker can modify any file on the server). Availability: High (Attacker can delete the entire installation). > https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-27891.md
AnalysisAI
Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.
Technical ContextAI
This vulnerability affects FacturaScripts, a PHP-based open-source billing and accounting application (pkg:composer/facturascripts_facturascripts). The flaw resides in the Plugins.php file's testZipFile validation logic, which implements insufficient path traversal protection during plugin ZIP extraction. The code uses PHP's explode() function to parse file paths and verify a single root folder exists, but does not normalize or sanitize path components before extraction. This represents a classic CWE-20 (Improper Input Validation) failure pattern. The vulnerability exploits the semantic gap between path validation (which operates on split string arrays) and file extraction (which processes literal paths including '../' sequences). During extraction, the ZipArchive class writes files based on unsanitized paths, allowing directory traversal outside the intended plugins directory to any location where the web server process has write permissions.
RemediationAI
No vendor-released patch has been identified at the time of analysis according to the GitHub advisory data. The upstream repository (https://github.com/NeoRazorX/facturascripts) has published advisory GHSA-3pgc-xqg9-cfr6 acknowledging the vulnerability but no fixed version is specified in available data. Until an official patch is released, implement these compensating controls: (1) Restrict plugin installation permissions to only fully trusted administrators and audit all accounts with this capability; (2) Implement file integrity monitoring on the web root directory to detect unauthorized PHP file creation; (3) Configure web server permissions using principle of least privilege-ensure the PHP process cannot write to the web root or application base directory, only to designated upload/cache directories (note: this may break legitimate plugin installation functionality); (4) Deploy a web application firewall rule to inspect uploaded ZIP files for path traversal sequences in entry names, though this may cause false positives with legitimately complex plugin structures. Monitor the official GitHub repository and GHSA-3pgc-xqg9-cfr6 for patch availability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30808
GHSA-3pgc-xqg9-cfr6