FacturaScripts Unauthenticated Path Traversal Vulnerability (CVE-2026-45693)
FacturaScripts contains an unauthenticated path traversal vulnerability (CVE-2026-45693) in its static file controllers, allowing attackers to bypass authorization by manipulating URLs with `../` segments to read sensitive files like invoices and database backups from the application's filesystem without authentication.
FacturaScripts versions up to and including v2026.2 are vulnerable to an unauthenticated path traversal (CVE-2026-45693) in its static file controllers, specifically Core/Controller/Files.php and Core/Controller/Myfiles.php. This vulnerability allows attackers to read sensitive files from the FacturaScripts installation without authentication. The flaw arises because the application's controllers incorrectly authorize file access based on URL string prefixes rather than resolving the canonical filesystem path. By injecting path traversal sequences like ../ into URLs that begin with allow-listed folders (e.g., /Plugins/ or /MyFiles/Public/), an attacker can access files outside the intended directories. This can lead to the unauthorized disclosure of confidential data such as customer invoices, supplier invoices, document attachments, and database backups stored under MyFiles/Private/ and other non-public subfolders. The vulnerability was confirmed on commit de01369 (master, 2026-05-11) and tag v2026.2 using PHP 8.0.30 on Apache 2.4.56.
Attack Chain
- An unauthenticated attacker sends an HTTP GET request to a vulnerable FacturaScripts instance, targeting a static file controller (e.g.,
Core/Controller/Files.php). - The request URL includes a path traversal sequence such as
/Plugins/../MyFiles/Private/invoice.pdfor/MyFiles/Public/../Private/backup.sql, potentially using URL-encoded characters like%2e%2e. - The vulnerable controller receives the HTTP request and performs a prefix check on the raw URL string (e.g.,
strpos($url, '/Plugins/') === 0), which incorrectly grants initial authorization. - The application's underlying filesystem functions (e.g.,
is_file()) then resolve the../segment, effectively pointing to a file in a different, unauthorized directory (e.g.,MyFiles/Private/invoice.pdf). - The
isFileSafe()function checks the file's extension (e.g.,.pdf,.sql), which if on the allow-list, permits the file to be served. - For the
/MyFiles/Public/../path, theMyfiles.phpcontroller specifically bypasses themyfttoken check due to the/MyFiles/Public/prefix, despite the actual file being in a restrictedPrivatedirectory. - The application serves the sensitive file (e.g., customer invoice, database backup) to the unauthenticated attacker via the HTTP response.
- The attacker successfully exfiltrates internal documents or data that should normally be protected.
Impact
Successful exploitation of CVE-2026-45693 leads to the unauthorized disclosure of sensitive business data without requiring any authentication. This includes critical financial and operational documents such as customer and supplier invoices, detailed document attachments, and potentially entire database backups (SQL files). Such information could be used for corporate espionage, financial fraud, or further targeted attacks. The vulnerability affects any FacturaScripts installation up to v2026.2. While the vulnerability does not directly lead to remote code execution due to limitations on file extensions that can be served, the exposure of confidential business records poses a significant risk to data privacy and regulatory compliance.
Recommendation
- Deploy the Sigma rules
Detects CVE-2026-45693 Exploitation - Path Traversal via /Plugins/andDetects CVE-2026-45693 Exploitation - Path Traversal via /MyFiles/Public/to your SIEM and tune for your environment to identify exploitation attempts. - Monitor web server access logs (category
webserver) for HTTP GET requests containing path traversal sequences (e.g.,../,%2e%2e) in thecs-uri-stemorcs-uri-queryfields, especially targeting/Plugins/*or/MyFiles/Public/*routes. - Patch FacturaScripts instances to a version beyond v2026.2 that addresses CVE-2026-45693 as soon as a fix is available from the vendor.
Detection coverage 2
Detects CVE-2026-45693 Exploitation - Path Traversal via /Plugins/
highDetects CVE-2026-45693 exploitation - unauthenticated path traversal attempts targeting FacturaScripts via the /Plugins/ route, indicated by '..' or URL-encoded variants in the URI after '/Plugins/'.
Detects CVE-2026-45693 Exploitation - Path Traversal via /MyFiles/Public/
highDetects CVE-2026-45693 exploitation - unauthenticated path traversal attempts targeting FacturaScripts via the /MyFiles/Public/ route, indicated by '..' or URL-encoded variants in the URI after '/MyFiles/Public/'.
Detection queries are available on the platform. Get full rules →