CVE-2026-32699

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions FacturaScripts (affected versions not specified)

Description Broken Access Control exists in the user update logic. The application fails to validate the nick parameter during a 'POST' request to the '/EditUser' endpoint. Although the user interface prevents editing this field, a user can bypass this restriction using a proxy to rename any account, including the Administrator. This allows an attacker to sabotage the system audit trail, perform malicious actions, and rename their account to evade detection or frame other users, which may lead to identity impersonation and data corruption due to orphaned internal references.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/EditUser' endpoint or implement server-side validation to ensure the nick parameter cannot be modified.

Exploit

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-472CWE-284

Related Identifiers

CVE-2026-32699

GHSA-PP79-HQV6-VMC3

Affected Products

Facturascripts

CVE-2026-32699

Weakness Enumeration

Related Identifiers

Affected Products

References · 7