PatchSiren

NeoRazorX CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM NeoRazorX CVE published 2026-05-27

CVE-2026-42877

A stored cross-site scripting (XSS) vulnerability in FacturaScripts 2025.92 and earlier allows authenticated users with warehouse module access to inject malicious JavaScript via product references. The payload executes when other users open the product search modal within sales or purchase documents. The vulnerability resides in two PHP files handling AJAX modal rendering for sales and purchasing workflows.

MEDIUM NeoRazorX CVE published 2026-05-27

CVE-2026-42879

## Summary FacturaScripts versions 2025.81 and earlier contain an authenticated unrestricted file upload vulnerability in the product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image by using a GIF89a header to bypass MIME type validation. The file is stored with its original executable extension (.php), enabling potential remote code execution. [truncated]

MEDIUM NeoRazorX CVE published 2026-05-27

CVE-2026-42878

An unauthenticated information disclosure vulnerability exists in FacturaScripts open-source accounting and invoicing software prior to version 2026. The Installer controller exposes phpinfo() output to any remote attacker via a crafted GET request with the parameter phpinfo=TRUE. This disclosure reveals complete PHP configuration details, server environment variables—including database credentials, API k [truncated]

LOW NeoRazorX CVE published 2026-05-18

CVE-2026-27964

CVE-2026-27964 is a reflected cross-site scripting issue in FacturaScripts versions 2025.7 and earlier. The application reflects the fsNick cookie value into HTML without proper encoding, allowing attacker-controlled script content to reach the browser before the application rejects the modified session and logs the user out. The issue was fixed in version 2025.8.

MEDIUM NeoRazorX CVE published 2026-05-18

CVE-2026-27892

CVE-2026-27892 is an information-disclosure flaw in FacturaScripts’ Library module. Before version 2026, uploaded images were stored and served byte-for-byte, so embedded EXIF/XMP/IPTC metadata was preserved and available to authenticated users who downloaded the file. That metadata could include GPS coordinates, device details, timestamps, comments, thumbnails, and other personally identifiable informati [truncated]

HIGH NeoRazorX CVE published 2026-05-18

CVE-2026-27891

CVE-2026-27891 describes a critical Zip Slip issue in FacturaScripts' plugin upload/extraction flow. The vulnerable Plugins::add() path handling validates only that an uploaded ZIP appears to have one root folder, but it does not sanitize individual file paths inside the archive. That allows crafted traversal entries such as folder/../../target.php to escape the intended plugins directory and write files [truncated]