CVE-2026-42879
MEDIUMFacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Title source: cnaDescription
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9
Scores
CVSS v3
6.3
EPSS
0.0023
EPSS Percentile
13.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-434
CWE-94
Status
published
Products (2)
facturascripts/facturascripts
0 - 2025.81Packagist
NeoRazorX/facturascripts
<= 2025.81
Published
May 27, 2026
Tracked Since
May 28, 2026