{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/facturascripts--2026.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FacturaScripts (\u003c= 2026.1)"],"_cs_severities":["high"],"_cs_tags":["csv-injection","web-application","rce","credential-theft","facturascripts"],"_cs_type":"advisory","_cs_vendors":["FacturaScripts"],"content_html":"\u003cp\u003eA critical CSV formula injection vulnerability, identified as CVE-2026-45263, affects FacturaScripts, an open-source accounting and ERP system, specifically in versions up to 2026.1. This flaw allows low-privilege authenticated users to plant malicious spreadsheet formulas into various text fields, such as customer names, without proper sanitization. The core issue lies in \u003ccode\u003eCore/Lib/Export/CSVExport.php::writeData()\u003c/code\u003e, which fails to neutralize formula-triggering characters (like \u003ccode\u003e=\u003c/code\u003e, \u003ccode\u003e+\u003c/code\u003e, \u003ccode\u003e-\u003c/code\u003e, \u003ccode\u003e@\u003c/code\u003e) when exporting data to CSV. When an administrator, as part of their routine workflow, exports data containing these payloads and opens the resulting CSV file in spreadsheet software like Microsoft Excel or LibreOffice Calc, the embedded formulas are automatically executed. This can lead to severe consequences, including arbitrary code execution on the administrator's workstation via Dynamic Data Exchange (DDE) or macro invocation, and credential theft, enabling a complete host takeover. A Proof of Concept verified in April 2026 demonstrated the execution of \u003ccode\u003ecmd /c calc\u003c/code\u003e on an admin machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privilege authenticated user logs into the FacturaScripts application.\u003c/li\u003e\n\u003cli\u003eThe user navigates to a data entry form (e.g., \u003ccode\u003eEditCliente\u003c/code\u003e) and injects a malicious formula, such as \u003ccode\u003e=SUM(1+1)*cmd|/c calc!A1\u003c/code\u003e, into a text field (e.g., \u003ccode\u003enombre\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eFacturaScripts stores the input verbatim in the database because the \u003ccode\u003eTools::noHtml()\u003c/code\u003e sanitization function (located at \u003ccode\u003eCore/Tools.php:45\u003c/code\u003e) only strips HTML metacharacters and not formula-triggering characters.\u003c/li\u003e\n\u003cli\u003eAn administrator, performing routine tasks, initiates a CSV export of the affected data (e.g., \u003ccode\u003eListCliente\u003c/code\u003e via \u003ccode\u003e?action=export\u0026amp;option=CSV\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCSVExport::writeData()\u003c/code\u003e function in FacturaScripts exports the malicious formula unescaped into the generated CSV file.\u003c/li\u003e\n\u003cli\u003eThe administrator's web browser downloads the CSV file (e.g., \u003ccode\u003eexport.csv\u003c/code\u003e) to their local machine.\u003c/li\u003e\n\u003cli\u003eThe administrator opens the downloaded CSV file using a spreadsheet application (e.g., Microsoft Excel or LibreOffice Calc) on their workstation.\u003c/li\u003e\n\u003cli\u003eThe spreadsheet application interprets and executes the embedded formula, leading to arbitrary code execution (e.g., \u003ccode\u003ecalc.exe\u003c/code\u003e via DDE) or credential theft on the administrator's workstation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to severe consequences for organizations using FacturaScripts. Attackers can achieve arbitrary code execution on administrator workstations, effectively gaining a beachhead for further compromise and potentially full host takeover. This direct access can facilitate credential theft, exfiltrating sensitive information such as customer names, fiscal IDs, and financial balances, especially through common variants like \u003ccode\u003e=HYPERLINK\u003c/code\u003e or \u003ccode\u003e=WEBSERVICE\u003c/code\u003e payloads. The attack leverages the trusted context of a downloaded internal ERP report, bypassing standard security hygiene that would otherwise flag untrusted spreadsheets. Any organization utilizing FacturaScripts, particularly those where low-privilege users can modify records and administrators regularly export data, is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-45263 immediately by updating FacturaScripts to a version where the vulnerability is resolved or by applying the recommended code fix provided in the GitHub advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process creation activities originating from spreadsheet applications, which could indicate successful CSV formula injection exploitation.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e logging on all endpoint detection and response (EDR) agents to capture the \u003ccode\u003eParentImage\u003c/code\u003e and \u003ccode\u003eImage\u003c/code\u003e fields for all executed processes, which is crucial for activating the rule above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:23:19Z","date_published":"2026-07-14T19:23:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-facturascripts-csv-injection/","summary":"FacturaScripts is vulnerable to CVE-2026-45263, a CSV formula injection vulnerability due to improper sanitization of user-supplied input when exporting data to CSV files, allowing a low-privilege authenticated user to embed formula-triggering characters in text fields that execute when an administrator opens the exported CSV with spreadsheet software, potentially leading to code execution on the admin's workstation via DDE or macro invocation and credential theft.","title":"FacturaScripts CSV Formula Injection via CSVExport Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-facturascripts-csv-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - FacturaScripts (\u003c= 2026.1)","version":"https://jsonfeed.org/version/1.1"}