CVE-2026-42878

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to v2026

Description An unauthenticated information disclosure issue in the Installer controller allows a remote attacker to trigger the phpinfo() function on a fresh deployment. By requesting the endpoint "/" with the parameter phpinfo set to "TRUE", an attacker can expose the full PHP configuration, server environment variables, filesystem paths, and loaded extensions. This exposure may include sensitive data such as database credentials, API keys, or application secrets stored as environment variables.

Recommendations Update to version v2026. As a temporary workaround, restrict access to the Installer controller or the "/" endpoint until the update is applied.