FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1.
CVE-2026-27891
Score 7.2 from GitHub Security Advisory (severity: HIGH) published 2026-05-07. NVD baseline CVSS 7.2; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.2
- EG Score
- 7.2(medium)
- EPSS
- 40.8%
- KEV
- Not listed
Published
May 18, 2026
Last Modified
May 19, 2026
Advisory Details (2)
Auto-updated Jun 11, 2026Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism · Advisory · NeoRazorX/facturascripts · GitHub
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-3pgc-xqg9-cfr6commit 2dda7c6f3b24 (NeoRazorX/facturascripts)
Patch available: NeoRazorX/facturascripts v2026 (contains commit 2dda7c6f3b24)
https://github.com/NeoRazorX/facturascripts/commit/2dda7c6f3b241fa84a0629166783720b882725fdPatch Availability(1)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| composer | facturascripts/facturascripts | — | ghsa |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Packagist(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| facturascripts/facturascripts | 2018.03 ... v2025.8 (56 versions) | — | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 10× in last 7d / 67× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 177 total refreshes for this CVE.
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:15 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 21:03 UTCEG score recompute
- 2026-06-29 21:02 UTCGHSA enrichment
Show 75 moreShow fewer
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 09:56 UTCEG score recompute
- 2026-06-28 09:56 UTCGHSA enrichment
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 21:20 UTCEG score recompute
- 2026-06-27 21:20 UTCGHSA enrichment
- 2026-06-27 08:29 UTCEG score recompute
- 2026-06-27 08:29 UTCGHSA enrichment
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 19:53 UTCEG score recompute
- 2026-06-26 19:53 UTCGHSA enrichment
- 2026-06-25 17:27 UTCEG score recompute
- 2026-06-25 17:27 UTCGHSA enrichment
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 02:18 UTCEG score recompute
- 2026-06-18 02:18 UTCGHSA enrichment
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 12:02 UTCEG score recompute
- 2026-06-17 12:02 UTCGHSA enrichment
- 2026-06-16 21:30 UTCEG score recompute
- 2026-06-16 21:30 UTCGHSA enrichment
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-16 05:19 UTCEG score recompute
- 2026-06-16 05:19 UTCGHSA enrichment
- 2026-06-15 17:48 UTCEPSS rescore
- 2026-06-15 16:43 UTCEG score recompute
- 2026-06-15 16:42 UTCGHSA enrichment
- 2026-06-15 00:02 UTCEG score recompute
- 2026-06-15 00:02 UTCGHSA enrichment
- 2026-06-14 23:18 UTCEPSS rescore
- 2026-06-14 11:25 UTCEG score recompute
- 2026-06-14 11:25 UTCGHSA enrichment
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 22:49 UTCEG score recompute
- 2026-06-13 22:49 UTCGHSA enrichment
- 2026-06-13 07:00 UTCEG score recompute
- 2026-06-13 07:00 UTCGHSA enrichment
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 18:24 UTCEG score recompute
- 2026-06-12 18:23 UTCGHSA enrichment
- 2026-06-12 05:46 UTCEG score recompute
- 2026-06-12 05:46 UTCGHSA enrichment
- 2026-06-11 17:11 UTCEG score recompute
- 2026-06-11 17:11 UTCGHSA enrichment
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-11 04:35 UTCEG score recompute
- 2026-06-11 04:34 UTCGHSA enrichment
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 15:58 UTCEG score recompute
- 2026-06-10 15:58 UTCGHSA enrichment
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 03:23 UTCEG score recompute
- 2026-06-10 03:23 UTCGHSA enrichment
- 2026-06-09 14:47 UTCEG score recompute
- 2026-06-09 14:47 UTCGHSA enrichment
Related CVEs(same product + same CWE)
Same product
10 showncomposer:facturascripts/facturascripts
Same CWE
10 shownCWE-20 · CWE-434
Frequently asked(5)
What is CVE-2026-27891?
When was CVE-2026-27891 disclosed?
Is CVE-2026-27891 actively exploited?
What is the CVSS score of CVE-2026-27891?
How do I remediate CVE-2026-27891?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-27891
Is Your Infrastructure Affected by CVE-2026-27891?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.