CVE-2026-27892 Overview
CVE-2026-27892 is an information disclosure vulnerability in FacturaScripts, an open source accounting and invoicing platform. The Library module stores and serves uploaded images byte-for-byte without stripping embedded metadata. Any authenticated user with download access can extract EXIF, XMP, and IPTC metadata from images uploaded by other users. The exposed data includes GPS coordinates, device identifiers, timestamps, embedded comments, thumbnail previews, and other personally identifiable information (PII). The flaw is tracked under [CWE-200] and affects all FacturaScripts versions prior to 2026.
Critical Impact
An authenticated user can recover the precise physical location of image uploaders, including home addresses derived from GPS-tagged photos.
Affected Products
- FacturaScripts versions prior to 2026
- FacturaScripts Library module (image upload and download functionality)
- Deployments exposing the Library module to authenticated low-privilege users
Discovery Timeline
- 2026-05-18 - CVE-2026-27892 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-27892
Vulnerability Analysis
FacturaScripts exposes an image upload feature through its Library module. Uploaded files are written to persistent storage and served back through authenticated download endpoints. The server does not sanitize image metadata at any stage of the upload or retrieval process.
Most camera applications and mobile devices embed extensive metadata directly into image files. This metadata includes GPS latitude and longitude, camera make and model, firmware version, capture timestamps, user-supplied comments, and miniature thumbnail previews. When an authenticated user downloads an image from the Library, the original byte stream is returned intact, exposing all embedded metadata to the downloader.
The practical impact extends beyond technical data leakage. An employee who uploads a photo taken at home discloses their residential GPS coordinates to every user with Library access. Device identifiers also support correlation across separate uploads, enabling tracking of individual users.
Root Cause
The root cause is missing server-side metadata sanitization on image uploads handled by the Library module. The application treats uploaded images as opaque binary blobs and skips EXIF, XMP, and IPTC stripping during both storage and delivery. Of all FacturaScripts image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and the absence of metadata removal.
Attack Vector
Exploitation requires authenticated access with permission to download Library content. The attacker browses the Library, retrieves a target image, and parses the embedded metadata using any standard EXIF tool such as exiftool or exiv2. No exploitation code is required because the metadata extraction relies on documented image format features. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-q7f2-rv22-2xgr.
Detection Methods for CVE-2026-27892
Indicators of Compromise
- Repeated authenticated downloads of Library images by a single user account within short time windows
- Library images stored on disk that retain EXIF GPS, MakerNote, or thumbnail tags after upload
- Access log entries showing enumeration of Library image identifiers by low-privilege accounts
Detection Strategies
- Audit stored Library images with exiftool to confirm whether GPS, device, or thumbnail metadata is present in production data
- Review FacturaScripts access logs for accounts that download disproportionate volumes of Library assets relative to their role
- Correlate user roles against Library download permissions to identify accounts with unnecessary access
Monitoring Recommendations
- Forward FacturaScripts web server logs to a centralized log platform and alert on bulk image download patterns
- Track download counts per Library asset and flag images accessed by users outside the uploader's team
- Monitor for new user accounts gaining Library download permissions through role changes
How to Mitigate CVE-2026-27892
Immediate Actions Required
- Upgrade FacturaScripts to version 2026, which strips image metadata server-side before storage and delivery
- Audit existing Library images and re-process them to remove embedded EXIF, XMP, and IPTC metadata
- Restrict Library download permissions to the minimum set of users required for business operations
Patch Information
The issue is fixed in FacturaScripts version 2026. The remediation is committed in commit b0725147a61a9a377b7180589af33ff52b4751e2 and documented in the GitHub Security Advisory. Administrators should apply the upstream release rather than attempt manual backports, as the fix integrates metadata stripping into the image handling pipeline.
Workarounds
- Strip metadata from images before upload using client-side tools such as exiftool -all= image.jpg
- Disable or restrict the Library module if upgrading is not immediately feasible
- Apply a reverse proxy or upload gateway that re-encodes images and discards metadata prior to handoff to FacturaScripts
# Bulk-strip metadata from an existing Library directory before upgrading
exiftool -all= -overwrite_original -r /var/www/facturascripts/MyFiles/Library/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
