Preritpathak

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions prior to v2026 **Description** An unauthenticated information disclosure issue in the Installer controller allows a remote attacker to trigger the `phpinfo()` function on a fresh deployment. By requesting the endpoint "/" with the parameter `phpinfo` set to "TRUE", an attacker can expose the full PHP configuration, server environment variables, filesystem paths, and loaded extensions. This exposure may include sensitive data such as database credentials, API keys, or application secrets stored as environment variables. **Recommendations** Update to version v2026. As a temporary workaround, restrict access to the Installer controller or the "/" endpoint until the update is applied.