PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27891 NeoRazorX CVE debrief

CVE-2026-27891 describes a critical Zip Slip issue in FacturaScripts' plugin upload/extraction flow. The vulnerable Plugins::add() path handling validates only that an uploaded ZIP appears to have one root folder, but it does not sanitize individual file paths inside the archive. That allows crafted traversal entries such as folder/../../target.php to escape the intended plugins directory and write files elsewhere on the server, including sensitive .php files. The advisory states the issue is fixed in FacturaScripts 2026.1.

Vendor
NeoRazorX
Product
facturascripts
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

FacturaScripts administrators, hosting providers, and application security teams should care most if plugin installation or upload is enabled. Systems that allow privileged users to upload plugins or ZIP-based extensions are at highest risk, because the issue can turn a trusted plugin upload path into arbitrary file write and possible RCE.

Technical summary

According to the advisory and NVD record, the flaw is in Plugins.php within Plugins::add(). testZipFile() checks for a single top-level folder but does not validate each archive entry's relative path before extraction. As a result, ZIP entries containing path traversal sequences can escape the plugins directory during extraction. NVD lists the issue with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H and CWE-20 / CWE-434.

Defensive priority

High — prioritize quickly if your deployment accepts plugin ZIP uploads or delegated administrator installs. The attack requires high privileges, but the impact is severe because successful file overwrite can lead to code execution.

Recommended defensive actions

  • Upgrade FacturaScripts to 2026.1 or later.
  • Temporarily disable plugin upload/install features if you cannot patch immediately.
  • Restrict plugin installation to a minimal set of trusted administrators.
  • Review recent plugin uploads and compare the web root for unexpected PHP files or modified application files outside the plugins directory.
  • Enable file integrity monitoring and alert on changes in executable PHP paths.
  • Rotate credentials and investigate for unauthorized plugin installations if you find unexpected file writes.

Evidence notes

The debrief is based on the supplied CVE record, which shows publication on 2026-05-18 and modification on 2026-05-19. The NVD metadata ties the issue to FacturaScripts, lists the CVSS v3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and marks weaknesses CWE-20 and CWE-434. The supplied GitHub advisory and commit reference the fix, and the advisory text states the issue is resolved in version 2026.1. NVD currently marks the record as Deferred.

Official resources

Publicly disclosed on 2026-05-18 and last modified in the supplied record on 2026-05-19.