CVE-2026-27892
Deferred Deferred - Pending Action
FacturaScripts Image Metadata Exposure via Unsanitized Uploads

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts' image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-27892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
facturascripts facturascripts to 2026 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-212 The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to access images containing embedded metadata with personally identifiable information (PII), such as GPS coordinates, device information, timestamps, and comments. Such exposure of PII can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal data and restrict unauthorized access or disclosure.

Specifically, the inadvertent disclosure of sensitive location data (e.g., an employee's home address) to all users with Library download access increases the risk of violating privacy requirements mandated by these standards.

Therefore, until fixed in version 2026, this vulnerability posed a significant risk to compliance with common data protection regulations by failing to adequately protect PII embedded in image metadata.

Executive Summary

This vulnerability exists in the Library module of FacturaScripts, an open source accounting and invoicing software. In versions prior to 2026, the module stores and serves uploaded images without removing embedded metadata such as EXIF, XMP, and IPTC data.

Any authenticated user who downloads an image can extract sensitive metadata embedded by the uploader, including GPS coordinates, device information, timestamps, comments, thumbnail previews, and other personally identifiable information (PII).

This happens because the Library module allows unrestricted uploads, persistent storage, authenticated download access, and does not sanitize metadata on the server side.

For example, an employee uploading a photo taken at their home could inadvertently disclose their precise home address to every user with access to download images from the Library.

Impact Analysis

The vulnerability can lead to unintended disclosure of sensitive personal information embedded in image metadata to unauthorized or unintended users within the system.

  • Exposure of GPS coordinates can reveal precise physical locations such as home addresses.
  • Device information and timestamps can be used to track user behavior or identify individuals.
  • Embedded comments or notes may contain confidential or private information.

Overall, this can compromise user privacy and potentially lead to security risks related to the exposure of personally identifiable information (PII).

Mitigation Strategies

To mitigate this vulnerability, upgrade FacturaScripts to version 2026 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves unstripped image metadata (EXIF/XMP/IPTC) being stored and served by the Library module in FacturaScripts versions prior to 2026. To detect this vulnerability on your system or network, you can check if images downloaded from the Library module contain embedded metadata such as GPS coordinates, device information, timestamps, or other personally identifiable information.

One way to detect this is by downloading images from the Library module and inspecting their metadata using common command-line tools.

  • Use the 'exiftool' command to inspect image metadata: exiftool image.jpg
  • Alternatively, use 'identify' from ImageMagick to check for metadata: identify -verbose image.jpg
  • If you find GPS or other sensitive metadata in images served by the Library module, your system is likely affected by this vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart