CVE-2026-42878
Information Disclosure in FacturaScripts via phpinfo Exposure
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facturascripts | facturascripts | 2026 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to access sensitive server and PHP configuration details, including environment variables that may contain database credentials, API keys, or application secrets.
Exposure of such sensitive information can lead to unauthorized access to personal data or protected health information, potentially violating data protection regulations such as GDPR and HIPAA.
Therefore, the vulnerability poses a risk to compliance with these standards by increasing the likelihood of data breaches or unauthorized data exposure.
Can you explain this vulnerability to me?
This vulnerability exists in FacturaScripts, an open source accounting and invoicing software, prior to version 2026. It allows any remote attacker to trigger the phpinfo() function on a fresh FacturaScripts deployment without authentication by requesting the URL parameter /?phpinfo=TRUE.
Triggering phpinfo() exposes the full PHP configuration, server environment variables, filesystem paths, and loaded extensions. This includes sensitive information such as database credentials, API keys, or application secrets that are set as environment variables.
How can this vulnerability impact me? :
The vulnerability can lead to significant information disclosure, exposing sensitive server and application configuration details to unauthenticated remote attackers.
- Exposure of database credentials could allow attackers to access or manipulate the database.
- Disclosure of API keys and application secrets could enable unauthorized access to other integrated services.
- Revealing filesystem paths and server environment details can aid attackers in crafting further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if an unauthenticated request to the FacturaScripts installation triggers the phpinfo() output. Specifically, sending a request to the URL path /?phpinfo=TRUE on a fresh FacturaScripts deployment will reveal if the vulnerability is present.
A simple command to test this from a system with curl installed would be:
- curl -i http://<target-host>/?phpinfo=TRUE
If the response contains detailed PHP configuration information, server environment variables, or database credentials, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade FacturaScripts to version 2026 or later, where this issue has been fixed.
Until the upgrade can be performed, restrict access to the installation endpoint or block requests containing the parameter phpinfo=TRUE to prevent unauthenticated attackers from triggering the phpinfo() disclosure.