CVE-2026-27891

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2026.1

Description A Zip Slip issue exists in the Plugins::add() function within Plugins.php. The system does not properly validate or sanitize file paths inside uploaded ZIP archives. Although the testZipFile() function checks if the ZIP contains only one root folder, it fails to validate individual file paths. An attacker can bypass this check by using path traversal sequences, such as ../../, in filenames. This allows for Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the intended plugins directory, wherever the web server has write permissions.

Recommendations Update to version 2026.1. As a temporary workaround, restrict access to the plugin upload functionality or the Plugins::add() function until the update is applied.