CVE-2026-27891 Overview
CVE-2026-27891 is a path traversal vulnerability in FacturaScripts, an open source accounting and invoicing platform. The flaw exists in the Plugins::add() function in Plugins.php, which fails to validate file paths inside uploaded ZIP archives. An authenticated attacker with plugin upload privileges can craft a malicious ZIP archive to write arbitrary .php files outside the plugins directory. Successful exploitation results in Remote Code Execution (RCE) under the web server's permissions. The issue affects FacturaScripts versions 2026 and below, and is fixed in version 2026.1.
Critical Impact
Authenticated attackers can achieve Remote Code Execution by exploiting a Zip Slip flaw to overwrite arbitrary PHP files on the server.
Affected Products
- FacturaScripts versions 2026 and below
- FacturaScripts core component Plugins.php
- Fixed in FacturaScripts 2026.1
Discovery Timeline
- 2026-05-18 - CVE-2026-27891 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-27891
Vulnerability Analysis
The vulnerability is a classic Zip Slip flaw classified under [CWE-20] Improper Input Validation. FacturaScripts allows administrators to install plugins by uploading ZIP archives through the Plugins::add() function. Before extraction, the testZipFile function inspects archive contents to confirm the archive contains exactly one root folder.
The validation logic uses explode on file paths and checks the resulting folder count against count($folders) != 1. This check confirms the structural shape of the archive but never inspects whether path components contain traversal sequences. As a result, malicious relative path segments survive validation.
During extraction, the underlying ZIP routine writes files using the supplied path verbatim. Any ../ segment escapes the plugins directory and lands wherever the PHP process holds write permissions, including the application root.
Root Cause
The root cause is missing sanitization of individual entry names inside the uploaded ZIP. The testZipFile routine validates archive topology but not the path content of each entry. Path traversal sequences embedded inside the otherwise valid root folder bypass the check.
Attack Vector
An attacker with privileges to upload plugins crafts a ZIP archive containing an entry named ValidPluginName/../../shell.php. The explode operation interprets ValidPluginName as the sole root folder, satisfying the single-folder constraint. When extraction proceeds, the ../../ sequence redirects the write outside the plugins directory.
The attacker then requests the dropped PHP file through the web server to execute arbitrary code. Because the vulnerability requires authenticated access with plugin upload rights, exploitation is gated by privilege but reachable over the network.
Detection Methods for CVE-2026-27891
Indicators of Compromise
- Unexpected .php files appearing outside the Plugins/ directory, particularly in the web root
- Plugin upload events followed by file system writes to non-plugin paths
- ZIP archive entries containing ../ sequences in plugin upload logs
- Web server access logs showing requests to unfamiliar PHP scripts immediately after a plugin installation
Detection Strategies
- Inspect FacturaScripts audit logs for plugin install actions performed by administrative accounts and correlate with file creation timestamps
- Scan the FacturaScripts installation directory for newly created PHP files that do not match the expected plugin layout
- Statically analyze any uploaded ZIP archives for entries whose normalized path resolves outside the plugins directory
Monitoring Recommendations
- Enable file integrity monitoring on the FacturaScripts web root and Plugins/ directory
- Alert on PHP file creation events originating from the FacturaScripts process outside expected plugin subdirectories
- Forward web server and application logs to a centralized SIEM and alert on post-upload requests to previously unseen PHP endpoints
How to Mitigate CVE-2026-27891
Immediate Actions Required
- Upgrade FacturaScripts to version 2026.1 or later, which contains the official fix
- Audit the FacturaScripts installation for unexpected PHP files outside the Plugins/ directory and remove any unauthorized artifacts
- Restrict plugin upload privileges to a minimal set of trusted administrative accounts
- Rotate credentials for any administrative accounts that may have been compromised prior to patching
Patch Information
The vendor addressed the vulnerability in FacturaScripts 2026.1. The fix is published in the upstream commit referenced in the GitHub Commit Update and documented in the GitHub Security Advisory GHSA-3pgc-xqg9-cfr6. The patch validates each ZIP entry path and rejects archives containing traversal sequences.
Workarounds
- Disable plugin uploads entirely until the upgrade to 2026.1 is complete
- Place the FacturaScripts application behind a web application firewall and block multipart uploads containing ZIP entries with ../ sequences
- Restrict file system write permissions of the web server user to the Plugins/ directory only, preventing writes to the application root
# Configuration example: restrict write permissions to the plugins directory only
chown -R root:www-data /var/www/facturascripts
find /var/www/facturascripts -type d -exec chmod 755 {} \;
find /var/www/facturascripts -type f -exec chmod 644 {} \;
chmod -R 775 /var/www/facturascripts/Plugins
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
