CVE-2026-32699

MEDIUM

FacturaScripts unauthorized modification of immutable nick field via EditUser controller

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-32699. PoCs published by TurkiOS.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2026-32699, a Broken Access Control vulnerability in FacturaScripts. It explains how the 'nick' parameter in the EditUser controller can be manipulated via a proxy to rename any account, including the Administrator, leading to audit log corruption.

Description

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.

Exploits (1)

github WRITEUP

by TurkiOS · poc

https://github.com/TurkiOS/cve-2026-32699-facturascripts-nick-bypass

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2026-32699, a Broken Access Control vulnerability in FacturaScripts. It explains how the 'nick' parameter in the EditUser controller can be manipulated via a proxy to rename any account, including the Administrator, leading to audit log corruption.

Classification

Writeup 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: FacturaScripts

Auth required

Prerequisites: Valid user credentials · Access to a proxy tool like Burp Suite

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 17, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3

Scores

CVSS v4 5.3

EPSS 0.0002

EPSS Percentile 4.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-472

Status published

Products (2)

facturascripts/facturascripts 0 - 2024.92.x-devPackagist

NeoRazorX/facturascripts <= 2025.92

Published May 05, 2026

Tracked Since May 06, 2026