PatchSiren cyber security CVE debrief
CVE-2026-27892 NeoRazorX CVE debrief
CVE-2026-27892 is an information-disclosure flaw in FacturaScripts’ Library module. Before version 2026, uploaded images were stored and served byte-for-byte, so embedded EXIF/XMP/IPTC metadata was preserved and available to authenticated users who downloaded the file. That metadata could include GPS coordinates, device details, timestamps, comments, thumbnails, and other personally identifiable information. The issue was fixed in version 2026.
- Vendor
- NeoRazorX
- Product
- facturascripts
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
FacturaScripts administrators, security teams, privacy officers, and any organization that lets users upload photos or scanned images into the Library module should review this issue. It is especially relevant where employees may upload images from phones or cameras that retain location and device metadata.
Technical summary
The vulnerable behavior is server-side metadata retention in the Library upload/download path. According to the advisory, the module allowed unrestricted uploads, stored images persistently, provided authenticated download access, and performed no metadata sanitization. As a result, an authenticated downloader could retrieve the original image plus embedded metadata, creating a confidentiality issue classified by the source as CWE-200 and CWE-212. The reported CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
Defensive priority
Medium. Treat it as a privacy and confidentiality issue with potentially high real-world impact when users upload personal photos or documents containing embedded metadata. Prioritize remediation if the Library module is used for employee uploads, customer content, or any workflow where location data or device details could be sensitive.
Recommended defensive actions
- Upgrade FacturaScripts to version 2026 or later, as noted in the advisory.
- Review existing Library uploads for sensitive embedded metadata, especially GPS and device-identifying fields.
- Strip EXIF, XMP, and IPTC metadata from images before storage or before making downloads available.
- Restrict Library download access to only the minimum set of authenticated users who need it.
- Audit other image upload paths in the application to confirm they do not preserve metadata unintentionally.
- If sensitive photos were uploaded previously, consider removing or reprocessing them and notifying affected users where appropriate.
Evidence notes
The description states that the Library module preserved image metadata and that the issue was fixed in version 2026. The linked GitHub advisory and commit are the primary evidence sources. NVD lists the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and weaknesses CWE-200 and CWE-212. NVD’s record is marked Deferred in the supplied source metadata, so the GitHub advisory should be treated as the main reference point.
Official resources
CVE published at 2026-05-18T22:16:38.543Z and last modified at 2026-05-19T14:44:43.127Z. The supplied source advisory indicates the issue was fixed in FacturaScripts version 2026.