Unauthenticated Information Disclosure in FacturaScripts Accounting Software
CVE-2026-42878

5.3MEDIUM

Key Information:

Vendor: Neorazorx
Status: Facturascripts
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42878?

FacturaScripts, an open-source accounting and invoicing application, contains an unauthenticated information disclosure vulnerability in its Installer controller. This flaw allows remote attackers to execute a phpinfo() command by appending /?phpinfo=TRUE to a request. As a result, sensitive information such as PHP configuration details, server environment variables, and database credentials can be exposed without requiring authentication. This vulnerability has been addressed in version 2026, underscoring the need for users to update their installations to prevent potential data breaches.

Affected Version(s)

facturascripts < v2026

References

https://github.com/NeoRazorX/facturascripts/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42878 Data

JSON

Neorazorx

What is CVE-2026-42878?

Affected Version(s)

References

CVSS V3.1

Timeline