Arbitrary File Write and Remote Code Execution Risk in FacturaScripts by NeoRazorX
CVE-2026-27891

7.2HIGH

Key Information:

Vendor: Neorazorx
Status: Facturascripts
Vendor: CVE Published:; 18 May 2026

What is CVE-2026-27891?

FacturaScripts, an open-source accounting and invoicing software, contains a vulnerability in the Plugins::add() function that allows for a Zip Slip attack. This occurs due to insufficient validation of file paths in uploaded ZIP archives, enabling an attacker to overwrite sensitive .php files outside the intended plugins directory. The vulnerability arises from the failure to properly sanitize individual file paths within the ZIP structure. Consequently, an attacker can manipulate file names to bypass checks, resulting in arbitrary file write operations and potential remote code execution. This issue has been addressed in version 2026.1 to enhance security.

Affected Version(s)

facturascripts < 2026.1

References

https://github.com/NeoRazorX/facturascripts/security/advi...

x_refsource_CONFIRM

https://github.com/NeoRazorX/facturascripts/commit/2dda7c...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27891 Data

JSON

Neorazorx

What is CVE-2026-27891?

Affected Version(s)

References

CVSS V3.1

Timeline