Skip to main content

FacturaScripts EUVDEUVD-2026-32625

| CVE-2026-42878 MEDIUM
Information Exposure (CWE-200)
2026-05-07 https://github.com/NeoRazorX/facturascripts GHSA-vrxf-vrc4-22p7
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 20:01 vuln.today
Analysis Generated
May 07, 2026 - 20:01 vuln.today
CVE Published
May 07, 2026 - 19:43 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated.

Details

The phpinfo() debug endpoint was intentionally added in commit 8c31c106 ("Added phpinfo option to the installer") on February 27, 2018, and has remained in the codebase for over 8 years across multiple major versions.

The feature appears to have been added as a convenience tool to help users diagnose PHP configuration during installation. However, it exposes sensitive server information to any unauthenticated attacker who knows the parameter.

Vulnerable code (Core/Controller/Installer.php ~line 115):

if ('TRUE' === $this->request->query('phpinfo', '')) { phpinfo(); return; }

This vulnerability is of the same class as CVE-2025-34081 (CONPROSYS HMI System unauthenticated phpinfo() exposure), which received a CVE assignment.

Introduced: commit 8c31c1060581ad6ad591c7689da3a8df8a29f486 (Feb 27 2018) Still present: v2026-39-g262e79208 (confirmed April 2026)

PoC

Prerequisites: Fresh FacturaScripts deployment where installation has not yet been completed (config.php does not contain db_name).

Step 1 - Clone and serve the application: git clone https://github.com/NeoRazorX/facturascripts cd facturascripts php -S localhost:8000

Step 2 - Send the following unauthenticated GET request: GET /?phpinfo=TRUE HTTP/1.1 Host: localhost:8000

Step 3 - Observe full phpinfo() output returned (20+ pages) containing:

  • Complete PHP configuration
  • All server environment variables
  • Filesystem paths
  • Loaded extensions and versions
  • HTTP request headers

No credentials, cookies, or prior interaction required.

Tested on: PHP 8.1.34, macOS, fresh clone with no configuration applied. Proof of concept screenshot/PDF available.

Impact

Vulnerability type: Unauthenticated Information Disclosure (CWE-200)

Any unauthenticated remote attacker who can reach a freshly deployed FacturaScripts instance before installation is completed can retrieve the full PHP environment. On production deployments this includes:

  • Database credentials (DB_PASSWORD, DB_USER) if set as environment variables
  • Application secrets (APP_KEY, JWT secrets) if set as environment variables
  • Cloud provider credentials (AWS_SECRET_ACCESS_KEY, etc.) if present
  • Full server filesystem paths enabling targeted path traversal attempts
  • Exact PHP version and loaded extensions enabling version-specific attacks
  • All HTTP headers revealing internal infrastructure details
  • Database connection configuration (mysqli default socket, PDO drivers)
  • Exact PHP version enabling version-specific CVE targeting (PHP 8.1.34)

Fresh deployments are commonly left unconfigured for extended periods on shared hosting and cloud environments, making this window reliably exploitable in real-world scenarios.

Fix: Remove lines 115-118 from Core/Controller/Installer.php:

if ('TRUE' === $this->request->query('phpinfo', '')) { phpinfo(); return; }

AnalysisAI

Unauthenticated information disclosure in FacturaScripts allows remote attackers to trigger phpinfo() output on fresh deployments via /?phpinfo=TRUE, exposing full PHP configuration, environment variables (including database credentials and API keys), filesystem paths, and loaded extensions. The vulnerability affects all versions with the Installer controller enabled and no patch has been released as of April 2026; publicly available proof-of-concept code exists demonstrating exploitation against PHP 8.1.34.

Technical ContextAI

FacturaScripts is a PHP-based open-source accounting and invoicing application distributed via Composer. The vulnerability resides in Core/Controller/Installer.php (~line 115), where an unauthenticated GET parameter 'phpinfo=TRUE' triggers PHP's phpinfo() function directly without authentication checks. This debug feature was intentionally added in commit 8c31c106 on February 27, 2018, and persists in the codebase for over eight years. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically allowing an attacker to read the full output of phpinfo() which includes environment variables, $_SERVER array contents, loaded extensions, and PHP configuration directives. The vulnerability is particularly severe because environment variables commonly store database credentials, API keys, and application secrets in containerized and cloud deployments.

RemediationAI

Immediately remove lines 115-118 from Core/Controller/Installer.php containing the phpinfo query parameter check: the conditional block 'if ('TRUE' === $this->request->query('phpinfo', '')) { phpinfo(); return; }' must be deleted entirely. After removing the code, redeploy the application and verify by testing the /?phpinfo=TRUE request - it should return a normal page response, not phpinfo() output. Until a vendor-released patch is available, enforce network-level access controls: restrict HTTP access to the installer endpoint (/) to administratively-controlled IP ranges using a reverse proxy, WAF, or network firewall; alternatively, block the application entirely from public internet access until installation is completed and config.php is properly configured. If the application must remain public during setup, apply HTTP authentication (Basic Auth or similar) to the / path via reverse proxy to require credentials before any request reaches the application. As a defense-in-depth measure, avoid storing secrets in environment variables and use a dedicated secrets management system; however, this does not remediate the vulnerability itself. The most critical action is code removal followed by deployment verification.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-32625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy