PatchSiren cyber security CVE debrief
CVE-2026-42878 NeoRazorX CVE debrief
An unauthenticated information disclosure vulnerability exists in FacturaScripts open-source accounting and invoicing software prior to version 2026. The Installer controller exposes phpinfo() output to any remote attacker via a crafted GET request with the parameter phpinfo=TRUE. This disclosure reveals complete PHP configuration details, server environment variables—including database credentials, API keys, and application secrets stored as environment variables—filesystem paths, and loaded PHP extensions. The vulnerability requires no authentication and is exploitable on fresh deployments. The issue was resolved in version 2026.
- Vendor
- NeoRazorX
- Product
- facturascripts
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running FacturaScripts prior to version 2026, particularly those with fresh deployments or active Installer controllers. System administrators responsible for PHP application security and credential management. Security teams monitoring for information disclosure vulnerabilities that may facilitate credential theft or lateral movement.
Technical summary
The FacturaScripts Installer controller contains a debug functionality that exposes phpinfo() output when the phpinfo=TRUE parameter is present in GET requests. This endpoint lacks authentication controls, allowing any remote attacker to retrieve comprehensive system information. The disclosed data includes PHP configuration directives, server environment variables (which commonly contain database connection strings, API keys, and application secrets), absolute filesystem paths, and loaded PHP extensions with versions. This information aids attackers in reconnaissance and may directly expose credentials sufficient for further system compromise. The vulnerability affects only fresh deployments where the Installer controller remains active.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade FacturaScripts to version 2026 or later to remediate this vulnerability
- If immediate patching is not feasible, restrict network access to the Installer controller endpoint to trusted administrative hosts only
- Review server environment variables for sensitive values (database credentials, API keys, application secrets) and rotate any potentially exposed credentials
- Audit access logs for requests to /?phpinfo=TRUE to identify potential exploitation attempts
- Remove or disable the Installer controller on production deployments after initial setup is complete
- Consider implementing web application firewall rules to block phpinfo=TRUE parameter patterns on affected endpoints
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-vrxf-vrc4-22p7. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N indicates network-accessible, low-complexity, unauthenticated attack with low confidentiality impact. CWE-200 (Information Exposure) classified. NVD status 'Deferred' as of record date.
Official resources
-
CVE-2026-42878 CVE record
CVE.org
-
CVE-2026-42878 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27