Vulnerability-Lookup

CVE-2026-42878 (GCVE-0-2026-42878)

Vulnerability from cvelistv5 – Published: 2026-05-27 18:28 – Updated: 2026-05-28 15:12

Title

FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts

Summary

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/NeoRazorX/facturascripts/secur…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
NeoRazorX	facturascripts	Affected: < v2026

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42878",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T15:11:49.089116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T15:12:12.260Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "facturascripts",
          "vendor": "NeoRazorX",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c v2026"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T18:28:05.666Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7"
        }
      ],
      "source": {
        "advisory": "GHSA-vrxf-vrc4-22p7",
        "discovery": "UNKNOWN"
      },
      "title": "FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42878",
    "datePublished": "2026-05-27T18:28:05.666Z",
    "dateReserved": "2026-04-30T18:49:06.711Z",
    "dateUpdated": "2026-05-28T15:12:12.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42878",
      "date": "2026-05-28",
      "epss": "0.00037",
      "percentile": "0.11522"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42878\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T19:16:17.763\",\"lastModified\":\"2026-05-28T16:16:23.067\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
  }
}

FKIE_CVE-2026-42878

Vulnerability from fkie_nvd - Published: 2026-05-27 19:16 - Updated: 2026-05-28 16:16

Severity

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026."
    }
  ],
  "id": "CVE-2026-42878",
  "lastModified": "2026-05-28T16:16:23.067",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T19:16:17.763",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-VRXF-VRC4-22P7

Vulnerability from github – Published: 2026-05-07 19:43 – Updated: 2026-05-07 19:43

Summary

FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

Details

Summary

An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated.

Details

The phpinfo() debug endpoint was intentionally added in commit 8c31c106 ("Added phpinfo option to the installer") on February 27, 2018, and has remained in the codebase for over 8 years across multiple major versions.

The feature appears to have been added as a convenience tool to help users diagnose PHP configuration during installation. However, it exposes sensitive server information to any unauthenticated attacker who knows the parameter.

Vulnerable code (Core/Controller/Installer.php ~line 115):

if ('TRUE' === $this->request->query('phpinfo', '')) {
    phpinfo();
    return;
}

This vulnerability is of the same class as CVE-2025-34081 (CONPROSYS HMI System unauthenticated phpinfo() exposure), which received a CVE assignment.

Introduced: commit 8c31c1060581ad6ad591c7689da3a8df8a29f486 (Feb 27 2018) Still present: v2026-39-g262e79208 (confirmed April 2026)

PoC

Prerequisites: Fresh FacturaScripts deployment where installation has not yet been completed (config.php does not contain db_name).

Step 1 — Clone and serve the application: git clone https://github.com/NeoRazorX/facturascripts cd facturascripts php -S localhost:8000

Step 2 — Send the following unauthenticated GET request: GET /?phpinfo=TRUE HTTP/1.1 Host: localhost:8000

Step 3 — Observe full phpinfo() output returned (20+ pages) containing: - Complete PHP configuration - All server environment variables - Filesystem paths - Loaded extensions and versions - HTTP request headers

No credentials, cookies, or prior interaction required.

Tested on: PHP 8.1.34, macOS, fresh clone with no configuration applied. Proof of concept screenshot/PDF available.

Impact

Vulnerability type: Unauthenticated Information Disclosure (CWE-200)

Any unauthenticated remote attacker who can reach a freshly deployed FacturaScripts instance before installation is completed can retrieve the full PHP environment. On production deployments this includes:

Database credentials (DB_PASSWORD, DB_USER) if set as environment variables
Application secrets (APP_KEY, JWT secrets) if set as environment variables
Cloud provider credentials (AWS_SECRET_ACCESS_KEY, etc.) if present
Full server filesystem paths enabling targeted path traversal attempts
Exact PHP version and loaded extensions enabling version-specific attacks
All HTTP headers revealing internal infrastructure details
Database connection configuration (mysqli default socket, PDO drivers)
Exact PHP version enabling version-specific CVE targeting (PHP 8.1.34)

Fresh deployments are commonly left unconfigured for extended periods on shared hosting and cloud environments, making this window reliably exploitable in real-world scenarios.

Fix: Remove lines 115-118 from Core/Controller/Installer.php:

if ('TRUE' === $this->request->query('phpinfo', '')) {
    phpinfo();
    return;
}

Severity

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "facturascripts/facturascripts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026"
            },
            {
              "last_affected": "2026.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T19:43:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated.\n\n### Details\nThe phpinfo() debug endpoint was intentionally added in commit 8c31c106  (\"Added phpinfo option to the installer\") on February 27, 2018, and has remained in the codebase for over 8 years across multiple major versions.\n\nThe feature appears to have been added as a convenience tool to help users diagnose PHP configuration during installation. However, it exposes sensitive server information to any unauthenticated attacker who knows the parameter.\n\nVulnerable code (Core/Controller/Installer.php ~line 115):\n\n    if (\u0027TRUE\u0027 === $this-\u003erequest-\u003equery(\u0027phpinfo\u0027, \u0027\u0027)) {\n        phpinfo();\n        return;\n    }\n\nThis vulnerability is of the same class as CVE-2025-34081 (CONPROSYS HMI System unauthenticated phpinfo() exposure), which received a CVE assignment.\n\nIntroduced: commit 8c31c1060581ad6ad591c7689da3a8df8a29f486 (Feb 27 2018)\nStill present: v2026-39-g262e79208 (confirmed April 2026)\n\n### PoC\nPrerequisites: Fresh FacturaScripts deployment where installation has not yet been completed (config.php does not contain db_name).\n\nStep 1 \u2014 Clone and serve the application:\n    git clone https://github.com/NeoRazorX/facturascripts\n    cd facturascripts\n    php -S localhost:8000\n\nStep 2 \u2014 Send the following unauthenticated GET request:\n    GET /?phpinfo=TRUE HTTP/1.1\n    Host: localhost:8000\n\nStep 3 \u2014 Observe full phpinfo() output returned (20+ pages) containing:\n    - Complete PHP configuration\n    - All server environment variables\n    - Filesystem paths\n    - Loaded extensions and versions\n    - HTTP request headers\n\nNo credentials, cookies, or prior interaction required.\n\nTested on: PHP 8.1.34, macOS, fresh clone with no configuration applied.\nProof of concept screenshot/PDF available.\n\n### Impact\nVulnerability type: Unauthenticated Information Disclosure (CWE-200)\n\nAny unauthenticated remote attacker who can reach a freshly deployed FacturaScripts instance before installation is completed can retrieve the full PHP environment. On production deployments this includes:\n\n  - Database credentials (DB_PASSWORD, DB_USER) if set as environment variables\n  - Application secrets (APP_KEY, JWT secrets) if set as environment variables  \n  - Cloud provider credentials (AWS_SECRET_ACCESS_KEY, etc.) if present\n  - Full server filesystem paths enabling targeted path traversal attempts\n  - Exact PHP version and loaded extensions enabling version-specific attacks\n  - All HTTP headers revealing internal infrastructure details\n  - Database connection configuration (mysqli default socket, PDO drivers)\n  - Exact PHP version enabling version-specific CVE targeting (PHP 8.1.34)\n\nFresh deployments are commonly left unconfigured for extended periods on shared hosting and cloud environments, making this window reliably exploitable in real-world scenarios.\n\nFix: Remove lines 115-118 from Core/Controller/Installer.php:\n\n    if (\u0027TRUE\u0027 === $this-\u003erequest-\u003equery(\u0027phpinfo\u0027, \u0027\u0027)) {\n        phpinfo();\n        return;\n    }",
  "id": "GHSA-vrxf-vrc4-22p7",
  "modified": "2026-05-07T19:43:24Z",
  "published": "2026-05-07T19:43:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NeoRazorX/facturascripts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42878 (GCVE-0-2026-42878)

FKIE_CVE-2026-42878

GHSA-VRXF-VRC4-22P7

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature