FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Wed, 27 May 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026. | |
| Title | FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts | |
| Weaknesses | CWE-200 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-27T18:28:05.666Z
Reserved: 2026-04-30T18:49:06.711Z
Link: CVE-2026-42878
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.