PT-2026-38617 · Unknown · Facturascripts
Guzrex
·
Published
2026-05-07
·
Updated
2026-05-27
·
CVE-2026-42879
CVSS v3.1
6.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
FacturaScripts versions prior to 2025.81
Description
An authenticated unrestricted file upload issue exists in the product image upload functionality. An attacker with valid credentials can bypass MIME type validation by prepending GIF89a magic bytes to a PHP file, causing the system to incorrectly identify it as an image. The vulnerability is located in the
addImageAction() function within Core/Lib/ExtendedController/ProductImagesTrait.php. Because the system saves files using their original names, an attacker can upload executable files with extensions such as .php to a web-accessible directory, potentially leading to remote code execution.Recommendations
For versions prior to 2025.81, implement the following measures:
- Validate file extensions to reject any upload ending in
.php,.phtml,.phar, or other executable extensions. - Re-generate filenames on the server using a safe UUID-based name instead of using
getClientOriginalName(). - Store uploaded files outside the webroot and serve them through a controller to prevent direct URL execution.
- Use a file type library to validate actual file content, including magic bytes, extensions, and MIME types, rather than trusting client-supplied data.
- As a temporary workaround, restrict access to the
addImageAction()function or theCore/Lib/ExtendedController/ProductImagesTrait.phpcomponent to minimize the risk of exploitation.
Fix
Code Injection
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Facturascripts