CVE-2026-42879

Source
https://cve.org/CVERecord?id=CVE-2026-42879
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42879.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42879
Aliases
Published
2026-05-27T18:29:46.718Z
Modified
2026-07-08T08:12:35.237190515Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Details

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42879.json",
    "cwe_ids": [
        "CWE-434",
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/neorazorx/facturascripts

Affected ranges

Type
GIT
Repo
https://github.com/neorazorx/facturascripts
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2025.81"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2018.*
2018.03
2018.04
2018.05
2018.11
c2024.*
c2024.92
v2018.*
v2018.12
v2018.13
v2018.14
v2018.15
v2018.16
v2020.*
v2020.01
v2020.2
v2020.3
v2020.4
v2020.51
v2020.61
v2020.71
v2020.80
Other
v2021
v2024
v2025
v2021.*
v2021.1
v2021.2
v2021.4
v2021.51
v2021.71
v2021.81
v2022.*
v2022.06
v2022.08
v2022.2
v2022.4
v2022.51
v2023.*
v2023.08
v2023.16
v2023.21
v2024.*
v2024.1
v2024.2
v2024.3
v2024.5
v2024.7
v2024.8
v2024.9
v2024.91
v2025.*
v2025.11
v2025.2
v2025.3
v2025.4
v2025.41
v2025.43
v2025.7
v2025.71
v2025.8
v2025.81

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42879.json"