CVE-2026-42879 Overview
CVE-2026-42879 is an authenticated unrestricted file upload vulnerability in FacturaScripts, an open source accounting and invoicing platform. The flaw affects version 2025.81 and earlier releases. The vulnerability resides in the addImageAction() method within Core/Lib/ExtendedController/ProductImagesTrait.php. Attackers holding valid credentials can upload a PHP file disguised as a GIF image by prepending a GIF89a header, bypassing MIME type validation. The application stores the uploaded file with its original extension, including executable extensions such as .php. The issue is tracked under [CWE-94] Improper Control of Generation of Code.
Critical Impact
Authenticated attackers can upload PHP files through the product image upload feature and achieve code execution on the web server.
Affected Products
- FacturaScripts version 2025.81
- FacturaScripts versions prior to 2025.81
- Deployments exposing the product image upload functionality to authenticated users
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-42879 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42879
Vulnerability Analysis
The vulnerability exists in the product image upload handler implemented in the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php. The handler validates uploaded files by inspecting the MIME type signature at the beginning of the file content. An attacker can satisfy this check by placing a valid GIF89a magic header at the start of a file. The remainder of the file can contain arbitrary PHP code.
The application then writes the file to the server using the attacker-supplied filename and extension. Because the extension is preserved, files ending in .php are stored in a location served by the PHP interpreter. Subsequent HTTP requests to the uploaded file execute the embedded PHP payload under the privileges of the web server process.
Exploitation requires valid application credentials, which limits the attack to users who can authenticate or to attackers who obtain credentials through other means. The CVSS vector indicates a network-reachable attack with low privileges and no user interaction.
Root Cause
The root cause is incomplete input validation in the upload routine. The handler relies on content-based MIME detection but does not enforce a whitelist of allowed file extensions. The application trusts the client-supplied extension when persisting the file to disk, allowing executable script extensions to pass through unchanged.
Attack Vector
An authenticated user submits a crafted multipart upload to the product image endpoint. The payload contains a GIF89a header followed by PHP code and uses a filename such as shell.php. After upload, the attacker requests the resulting URL to invoke the PHP interpreter and execute commands on the host. Refer to the GitHub Security Advisory GHSA-vf3q-frmr-vrr9 for additional technical context.
Detection Methods for CVE-2026-42879
Indicators of Compromise
- Files with .php, .phtml, or other executable extensions present in FacturaScripts product image storage directories.
- Image files whose contents begin with GIF89a but contain PHP tags such as <?php later in the file body.
- Unexpected outbound network connections originating from the web server process following image upload activity.
Detection Strategies
- Inspect web server access logs for POST requests to the product image upload endpoint followed by GET requests to newly created files with script extensions.
- Scan image upload directories for files whose extension does not match the expected .gif, .jpg, .jpeg, .png, or .webp set.
- Run static content scans that flag files containing both image magic bytes and PHP code constructs.
Monitoring Recommendations
- Monitor authentication logs for credential abuse and unexpected logins preceding upload activity.
- Alert on creation of new files in web-accessible upload directories outside expected change windows.
- Track child processes spawned by the PHP-FPM or web server worker, including shell interpreters and reconnaissance commands.
How to Mitigate CVE-2026-42879
Immediate Actions Required
- Upgrade FacturaScripts to a release later than 2025.81 once the maintainer publishes a fixed version.
- Audit existing product image directories for files with executable extensions and remove any unauthorized artifacts.
- Rotate credentials for FacturaScripts accounts with upload privileges if compromise is suspected.
Patch Information
Review the FacturaScripts GitHub Security Advisory GHSA-vf3q-frmr-vrr9 for the maintainer's remediation guidance and patched release information.
Workarounds
- Configure the web server to disable PHP execution within the product image upload directory using directives such as Apache php_flag engine off or an Nginx location block that restricts handlers.
- Enforce an extension whitelist at a reverse proxy or web application firewall layer to reject uploads ending in .php, .phtml, .phar, or similar.
- Restrict the product image upload role to a minimum set of trusted users until the patched version is deployed.
# Apache example: disable PHP execution in the uploads directory
<Directory "/var/www/facturascripts/MyFiles/Images/Products">
php_flag engine off
AddType text/plain .php .phtml .phar
Options -ExecCGI
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
