FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload...

6.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.

Basic Information

ID CVE-2026-42879

Source GitHub_M

Published May 27, 2026 at 18:29

Affected Product

Vendor NeoRazorX

Product facturascripts

Version <= 2025.81

Affected Versions NeoRazorX facturascripts <= 2025.81

CWE Classification

CWE-94 CWE-434

References

github.com /NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9

{
    "lastseen": "",
    "description": "FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.",
    "published": "2026-05-27T18:29:46.718Z",
    "modified": "2026-05-27T18:29:46.718Z",
    "type": "cve",
    "title": "FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images",
    "source": "GitHub_M",
    "references": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9",
    "id": "CVE-2026-42879",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "NeoRazorX facturascripts <= 2025.81",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "facturascripts",
    "version": "<= 2025.81",
    "vendor": "NeoRazorX",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images_CVE-2026-42879