CVE-2026-42879
Deferred Deferred - Pending Action
Authenticated File Upload Bypass in FacturaScripts

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42879
EUVD
EUVD-2026-32626
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
facturascripts facturascripts to 2025.81 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FacturaScripts, an open source accounting and invoicing software, specifically in versions 2025.81 and earlier. It is an authenticated unrestricted file upload vulnerability in the product image upload functionality. An attacker who has valid credentials can upload a PHP file disguised as a GIF image by using a GIF89a header, which bypasses the MIME type validation. The uploaded file retains its original executable extension, such as .php, allowing the attacker to potentially execute malicious code on the server.

Impact Analysis

The impact of this vulnerability includes the possibility for an attacker with valid credentials to execute arbitrary code on the server by uploading malicious PHP files disguised as images. This can lead to unauthorized access, data manipulation, data leakage, or disruption of service within the affected FacturaScripts installation.

Detection Guidance

This vulnerability can be detected by searching for suspicious PHP files uploaded in the web-accessible directories where product images are stored, typically under /MyFiles/YYYY/MM/.

Since the vulnerability allows uploading PHP files disguised as GIF images, you can look for files with a .php extension that start with the GIF89a header.

  • Use commands to find PHP files in the upload directories, for example: find /path/to/webroot/MyFiles/ -type f -name '*.php'
  • Check the file headers to see if they start with the GIF89a magic bytes, for example using the command: head -c 6 filename.php | xxd
  • Use grep to find files containing the GIF89a header: grep -rl $'GIF89a' /path/to/webroot/MyFiles/ --include='*.php'
Mitigation Strategies

Immediate mitigation steps include:

  • Implement strict validation of file extensions to reject executable files such as .php.
  • Regenerate filenames server-side to prevent attackers from controlling file names and extensions.
  • Store uploaded files outside the web root directory to prevent direct web access to uploaded files.
  • Use a robust file type validation library that verifies the actual file content rather than relying solely on MIME type.

Note that no patch is currently available, so these mitigations are critical to reduce risk.

Compliance Impact

The provided information does not explicitly address how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart