CVE-2026-42879
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facturascripts | facturascripts | to 2025.81 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for suspicious PHP files uploaded in the web-accessible directories where product images are stored, typically under /MyFiles/YYYY/MM/.
Since the vulnerability allows uploading PHP files disguised as GIF images, you can look for files with a .php extension that start with the GIF89a header.
- Use commands to find PHP files in the upload directories, for example: find /path/to/webroot/MyFiles/ -type f -name '*.php'
- Check the file headers to see if they start with the GIF89a magic bytes, for example using the command: head -c 6 filename.php | xxd
- Use grep to find files containing the GIF89a header: grep -rl $'GIF89a' /path/to/webroot/MyFiles/ --include='*.php'
Can you explain this vulnerability to me?
This vulnerability exists in FacturaScripts, an open source accounting and invoicing software, specifically in versions 2025.81 and earlier. It is an authenticated unrestricted file upload vulnerability in the product image upload functionality. An attacker who has valid credentials can upload a PHP file disguised as a GIF image by using a GIF89a header, which bypasses the MIME type validation. The uploaded file retains its original executable extension, such as .php, allowing the attacker to potentially execute malicious code on the server.
How can this vulnerability impact me? :
The impact of this vulnerability includes the possibility for an attacker with valid credentials to execute arbitrary code on the server by uploading malicious PHP files disguised as images. This can lead to unauthorized access, data manipulation, data leakage, or disruption of service within the affected FacturaScripts installation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement strict validation of file extensions to reject executable files such as .php.
- Regenerate filenames server-side to prevent attackers from controlling file names and extensions.
- Store uploaded files outside the web root directory to prevent direct web access to uploaded files.
- Use a robust file type validation library that verifies the actual file content rather than relying solely on MIME type.
Note that no patch is currently available, so these mitigations are critical to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.