CVE-2026-27891
Deferred Deferred - Pending Action
Zip Slip Arbitrary File Write in FacturaScripts

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-27891
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
facturascripts facturascripts to 2026.1 (exc)
facturascripts facturascripts 2026.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FacturaScripts, an open source accounting and invoicing software, specifically in versions 2026 and below. It is found in the Plugins::add() function where the system fails to properly validate file paths inside uploaded ZIP archives.

An attacker can exploit this by crafting a ZIP file that appears to have a valid root folder but contains files with path traversal sequences like "../../". This allows the attacker to write files outside the intended plugins directory, potentially overwriting sensitive .php files.

This type of attack is known as a Zip Slip attack, which can lead to Arbitrary File Write and Remote Code Execution (RCE) on the server hosting the application.

Impact Analysis

Exploitation of this vulnerability can allow an attacker to overwrite critical PHP files on the server, leading to Remote Code Execution (RCE).

This means the attacker could execute arbitrary code with the permissions of the web server, potentially gaining control over the affected system.

Such control could lead to data theft, data manipulation, service disruption, or further compromise of the network.

Mitigation Strategies

To mitigate this vulnerability, upgrade FacturaScripts to version 2026.1 or later, where the issue has been fixed.

Avoid using vulnerable versions (2026 and below) of FacturaScripts, especially the Plugins::add() function that handles ZIP archive uploads.

Restrict file upload permissions and carefully monitor any plugin uploads to prevent exploitation of the Zip Slip vulnerability.

Compliance Impact

The vulnerability allows an attacker to perform arbitrary file writes and remote code execution by exploiting a Zip Slip path traversal in the plugin upload mechanism. This can lead to unauthorized access and modification of sensitive files, potentially compromising the confidentiality, integrity, and availability of data managed by the software.

Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information. Unauthorized code execution and file manipulation could result in data breaches or unauthorized data exposure, violating these regulations' requirements for data security and privacy.

Therefore, until the vulnerability is fixed (in version 2026.1), systems using affected versions of FacturaScripts may be at increased risk of non-compliance with these standards due to the potential for unauthorized data access and modification.

Detection Guidance

This vulnerability involves a Zip Slip path traversal during plugin ZIP archive extraction in FacturaScripts versions 2026 and below. Detection can focus on identifying suspicious ZIP files containing file paths with directory traversal sequences such as "../" or "..\" inside the archive.

One approach is to inspect plugin ZIP files before installation to check for unsafe paths. For example, you can use the unzip command with the -l option to list files and grep for traversal patterns:

  • unzip -l suspicious_plugin.zip | grep -E '(\.\./|\.\.\\)'

Additionally, monitoring file system changes for unexpected .php files outside the plugins directory or unusual modifications can help detect exploitation attempts.

Since the vulnerability allows arbitrary file writes and remote code execution, reviewing web server logs for suspicious requests or newly created PHP files in unexpected locations may also be useful.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart