Unrestricted File Upload Vulnerability in FacturaScripts Accounting Software
CVE-2026-42879

6.3MEDIUM

Key Information:

Vendor: Neorazorx
Status: Facturascripts
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42879?

FacturaScripts, an open-source accounting and invoicing software, has a significant vulnerability in its product image upload feature. In versions 2025.81 and earlier, this flaw allows authenticated users to upload malicious files to the server by disguising them as GIF images. By using a manipulated GIF89a header, attackers can bypass MIME type validation and store harmful PHP files with their original executable extensions. This vulnerability arises from the addImageAction() method located in the Core/Lib/ExtendedController/ProductImagesTrait.php file. Such an oversight can lead to severe security risks if exploited, permitting unauthorized access and execution of arbitrary code.

Affected Version(s)

facturascripts <= 2025.81

References

https://github.com/NeoRazorX/facturascripts/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42879 Data

JSON

Neorazorx

What is CVE-2026-42879?

Affected Version(s)

References

CVSS V3.1

Timeline