CVE-2026-42878: FacturaScripts Information Disclosure

CVE-2026-42878 Overview

CVE-2026-42878 is an unauthenticated information disclosure vulnerability in FacturaScripts, an open source accounting and invoicing platform. The flaw resides in the Installer controller of fresh deployments prior to version v2026. Any remote attacker can trigger PHP's phpinfo() function by requesting /?phpinfo=TRUE, requiring no credentials or user interaction. The response exposes the complete PHP configuration, server environment variables, filesystem paths, and loaded extensions. Environment variables frequently contain database credentials, API keys, and application secrets, turning a single unauthenticated request into a credential harvesting opportunity. The issue is fixed in v2026 and is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Critical Impact

Unauthenticated attackers can harvest server environment variables, including database credentials and API keys, from any fresh FacturaScripts deployment via a single HTTP GET request.

Affected Products

• FacturaScripts versions prior to v2026
• Fresh FacturaScripts deployments where the Installer controller remains reachable
• Self-hosted FacturaScripts instances exposed to untrusted networks

Discovery Timeline

• 2026-05-27 - CVE-2026-42878 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-42878

Vulnerability Analysis

The vulnerability is an information disclosure flaw in the Installer controller of FacturaScripts. When the application is freshly deployed, the installer remains accessible without authentication so administrators can complete initial setup. The controller inspects incoming query parameters and treats phpinfo=TRUE as a debug switch that invokes PHP's built-in phpinfo() function. The function renders a detailed HTML report covering PHP build options, INI directives, loaded modules, request headers, and the entire server environment block. Because the check runs before any authentication, the disclosure occurs in the unauthenticated installer scope. Attackers can use the exposed data to pivot directly to the database, cloud APIs, or other application backends referenced in environment variables.

Root Cause

The root cause is an insecure debug feature left enabled in the Installer controller. The controller honors the phpinfo query parameter and calls phpinfo() without any authorization check, host restriction, or installation-state guard. Debug output that should be limited to local diagnostics is rendered directly to any HTTP client. This pattern maps to [CWE-200] and reflects a missing access control around sensitive diagnostic functionality.

Attack Vector

Exploitation requires only network reachability to the FacturaScripts web root. An attacker issues an HTTP GET request to /?phpinfo=TRUE against a fresh deployment and receives the full phpinfo() output in the response body. No credentials, tokens, headers, or session state are required. Internet-wide scanning for the /?phpinfo=TRUE pattern allows opportunistic discovery of vulnerable instances. Exposed environment variables can then be used to authenticate to databases, cloud providers, or third-party APIs referenced by the application. See the FacturaScripts GitHub Security Advisory GHSA-vrxf-vrc4-22p7 for the maintainer's description.

Detection Methods for CVE-2026-42878

Indicators of Compromise

• HTTP GET requests containing the query string phpinfo=TRUE against any FacturaScripts URL path, particularly the application root /.
• Web server access log entries with HTTP 200 responses to /?phpinfo=TRUE and unusually large response sizes consistent with phpinfo() output.
• Requests originating from unexpected source IPs, scanning ranges, or anonymizing networks targeting the installer endpoint.

Detection Strategies

• Search web server and reverse proxy logs for the literal pattern phpinfo=TRUE in the query string and alert on any match.
• Create a WAF or IDS signature that inspects request URIs for the phpinfo parameter when the upstream application is FacturaScripts.
• Correlate access to the installer endpoint with the installation state of the application — any post-install access to installer routes is suspicious.

Monitoring Recommendations

• Forward FacturaScripts web server logs into a centralized analytics or SIEM platform and retain them for retrospective hunting.
• Monitor outbound authentication events for credentials that appear in the application's environment variables, looking for use from unfamiliar IP addresses.
• Alert on response payloads larger than a baseline threshold returned from the application root when the phpinfo parameter is present.

How to Mitigate CVE-2026-42878

Immediate Actions Required

• Upgrade FacturaScripts to v2026 or later on every deployment, including staging and development environments.
• Restrict network access to the FacturaScripts installer endpoint until the upgrade is verified, allowing only trusted administrative source IPs.
• Rotate any database credentials, API keys, and application secrets that were present in environment variables on potentially exposed hosts.

Patch Information

The vendor fixed the vulnerability in FacturaScripts v2026. The patched release removes the unauthenticated phpinfo() invocation from the Installer controller. Refer to the FacturaScripts GitHub Security Advisory GHSA-vrxf-vrc4-22p7 for upgrade guidance.

Workarounds

• Block requests containing the phpinfo query parameter at the reverse proxy or WAF layer until patching is complete.
• Disable the phpinfo() function globally in php.ini by adding it to the disable_functions directive on production servers.
• Remove or relocate the Installer controller routes after installation, or restrict them by source IP using web server configuration.

# Configuration example: block phpinfo parameter and disable function
# nginx: drop requests carrying the phpinfo query parameter
if ($arg_phpinfo) {
    return 403;
}

# php.ini: disable phpinfo at the interpreter level
disable_functions = phpinfo