CVE-2026-27892

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2026

Description A sensitive information disclosure issue exists in the Library module of FacturaScripts. The application stores and serves uploaded images byte-for-byte without stripping EXIF, XMP, or IPTC metadata. This allows any authenticated user who downloads an image to extract the uploader's embedded metadata, which may include GPS coordinates, device information, timestamps, embedded comments, notes, thumbnail previews, and other personally identifiable information (PII). In real-world scenarios, this could lead to the disclosure of an employee's precise home address if they upload a photo taken at their residence.

Recommendations Update to version 2026. As a temporary workaround, restrict access to the Library module to minimize the risk of unauthorized metadata extraction.