CVE-2026-32699 (GCVE-0-2026-32699)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:00 – Updated: 2026-05-05 19:44
VLAI?
Title
FacturaScripts unauthorized modification of immutable nick field via EditUser controller
Summary
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
Severity ?
CWE
- CWE-472 - External Control of Assumed-Immutable Web Parameter
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NeoRazorX | facturascripts |
Affected:
<= 2025.92
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T19:44:24.611038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:44:45.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "facturascripts",
"vendor": "NeoRazorX",
"versions": [
{
"status": "affected",
"version": "\u003c= 2025.92"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472: External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:00:19.957Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"
}
],
"source": {
"advisory": "GHSA-pp79-hqv6-vmc3",
"discovery": "UNKNOWN"
},
"title": "FacturaScripts unauthorized modification of immutable nick field via EditUser controller"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32699",
"datePublished": "2026-05-05T19:00:19.957Z",
"dateReserved": "2026-03-13T14:33:42.823Z",
"dateUpdated": "2026-05-05T19:44:45.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32699",
"date": "2026-05-06",
"epss": "0.00014",
"percentile": "0.02584"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32699\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-05T20:16:35.693\",\"lastModified\":\"2026-05-06T21:25:30.910\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-472\"}]}],\"references\":[{\"url\":\"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32699\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-05T19:44:24.611038Z\"}}}], \"references\": [{\"url\": \"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-05T19:44:14.602Z\"}}], \"cna\": {\"title\": \"FacturaScripts unauthorized modification of immutable nick field via EditUser controller\", \"source\": {\"advisory\": \"GHSA-pp79-hqv6-vmc3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"NeoRazorX\", \"product\": \"facturascripts\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2025.92\"}]}], \"references\": [{\"url\": \"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3\", \"name\": \"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-472\", \"description\": \"CWE-472: External Control of Assumed-Immutable Web Parameter\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-05T19:00:19.957Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32699\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-05T19:44:45.408Z\", \"dateReserved\": \"2026-03-13T14:33:42.823Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-05T19:00:19.957Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-32699
Vulnerability from fkie_nvd - Published: 2026-05-05 20:16 - Updated: 2026-05-06 21:25
Severity ?
Summary
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable."
}
],
"id": "CVE-2026-32699",
"lastModified": "2026-05-06T21:25:30.910",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-05T20:16:35.693",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-472"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-PP79-HQV6-VMC3
Vulnerability from github – Published: 2026-04-28 22:39 – Updated: 2026-04-28 22:39
VLAI?
Summary
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field
Details
Summary
The application fails to validate the nick parameter during a POST request to the EditUser controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption.
Details
The vulnerability exists in the user update logic. When a POST request is sent to /EditUser, the backend processes the nick form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable.
PoC
1. Log in to the dashboard as any user (e.g. admin user).
2. Go to your Profile by clicking your username/avatar in the top right.
3. Open Burp Suite and ensure Intercept is ON.
5. Click the Save button in the UI.
6. In Burp Suite, locate nick in the body:
7. Change the value admin to Vulnerable (or any other string).
8. Click Forward in Burp Suite.
The application will log the user out. It is possible to now log back in using the username "Vulnerable" and the original password.
Impact
An attacker can effectively sabotage the system’s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment.
Result
Before
After
Severity ?
4.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "facturascripts/facturascripts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2024.92.x-dev"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32699"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:39:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption.\n\n### Details\nThe vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable.\n\n### PoC\n***1.*** Log in to the dashboard as any user (e.g. admin user).\n\n***2.*** Go to your Profile by clicking your username/avatar in the top right.\n\n***3.*** Open Burp Suite and ensure Intercept is ON.\n\n***5.*** Click the Save button in the UI.\n\n***6.*** In Burp Suite, locate ```nick``` in the body:\n\n\u003cimg width=\"1915\" height=\"1013\" alt=\"Screenshot_2026-03-04_05_26_32\" src=\"https://github.com/user-attachments/assets/aea4e6fd-beba-4a47-96da-8b9bd9075681\" /\u003e\n\n\n***7.*** Change the value admin to Vulnerable (or any other string).\n\n***8.*** Click Forward in Burp Suite.\n\nThe application will log the user out. It is possible to now log back in using the username \"Vulnerable\" and the original password.\n\n### Impact\nAn attacker can effectively sabotage the system\u2019s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment.\n\n### Result\n\n#### Before \n\n\u003cimg width=\"1920\" height=\"996\" alt=\"Screenshot_2026-03-04_05_25_30\" src=\"https://github.com/user-attachments/assets/3b2d34e5-a2b9-4da9-9a56-963fe1a8fd65\" /\u003e\n\n#### After\n\n\u003cimg width=\"1920\" height=\"955\" alt=\"Screenshot_2026-03-04_05_27_00\" src=\"https://github.com/user-attachments/assets/af1de0ef-2b55-4d29-9557-29ee26a3775a\" /\u003e",
"id": "GHSA-pp79-hqv6-vmc3",
"modified": "2026-04-28T22:39:01Z",
"published": "2026-04-28T22:39:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"
},
{
"type": "PACKAGE",
"url": "https://github.com/NeoRazorX/facturascripts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable \u0027nick\u0027 Field"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…