<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FacturaScripts (&lt;= 2026.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/facturascripts--2026.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 19:23:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/facturascripts--2026.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>FacturaScripts CSV Formula Injection via CSVExport Leads to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-facturascripts-csv-injection/</link><pubDate>Tue, 14 Jul 2026 19:23:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-facturascripts-csv-injection/</guid><description>FacturaScripts is vulnerable to CVE-2026-45263, a CSV formula injection vulnerability due to improper sanitization of user-supplied input when exporting data to CSV files, allowing a low-privilege authenticated user to embed formula-triggering characters in text fields that execute when an administrator opens the exported CSV with spreadsheet software, potentially leading to code execution on the admin's workstation via DDE or macro invocation and credential theft.</description><content:encoded><![CDATA[<p>A critical CSV formula injection vulnerability, identified as CVE-2026-45263, affects FacturaScripts, an open-source accounting and ERP system, specifically in versions up to 2026.1. This flaw allows low-privilege authenticated users to plant malicious spreadsheet formulas into various text fields, such as customer names, without proper sanitization. The core issue lies in <code>Core/Lib/Export/CSVExport.php::writeData()</code>, which fails to neutralize formula-triggering characters (like <code>=</code>, <code>+</code>, <code>-</code>, <code>@</code>) when exporting data to CSV. When an administrator, as part of their routine workflow, exports data containing these payloads and opens the resulting CSV file in spreadsheet software like Microsoft Excel or LibreOffice Calc, the embedded formulas are automatically executed. This can lead to severe consequences, including arbitrary code execution on the administrator's workstation via Dynamic Data Exchange (DDE) or macro invocation, and credential theft, enabling a complete host takeover. A Proof of Concept verified in April 2026 demonstrated the execution of <code>cmd /c calc</code> on an admin machine.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A low-privilege authenticated user logs into the FacturaScripts application.</li>
<li>The user navigates to a data entry form (e.g., <code>EditCliente</code>) and injects a malicious formula, such as <code>=SUM(1+1)*cmd|/c calc!A1</code>, into a text field (e.g., <code>nombre</code>).</li>
<li>FacturaScripts stores the input verbatim in the database because the <code>Tools::noHtml()</code> sanitization function (located at <code>Core/Tools.php:45</code>) only strips HTML metacharacters and not formula-triggering characters.</li>
<li>An administrator, performing routine tasks, initiates a CSV export of the affected data (e.g., <code>ListCliente</code> via <code>?action=export&amp;option=CSV</code>).</li>
<li>The <code>CSVExport::writeData()</code> function in FacturaScripts exports the malicious formula unescaped into the generated CSV file.</li>
<li>The administrator's web browser downloads the CSV file (e.g., <code>export.csv</code>) to their local machine.</li>
<li>The administrator opens the downloaded CSV file using a spreadsheet application (e.g., Microsoft Excel or LibreOffice Calc) on their workstation.</li>
<li>The spreadsheet application interprets and executes the embedded formula, leading to arbitrary code execution (e.g., <code>calc.exe</code> via DDE) or credential theft on the administrator's workstation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to severe consequences for organizations using FacturaScripts. Attackers can achieve arbitrary code execution on administrator workstations, effectively gaining a beachhead for further compromise and potentially full host takeover. This direct access can facilitate credential theft, exfiltrating sensitive information such as customer names, fiscal IDs, and financial balances, especially through common variants like <code>=HYPERLINK</code> or <code>=WEBSERVICE</code> payloads. The attack leverages the trusted context of a downloaded internal ERP report, bypassing standard security hygiene that would otherwise flag untrusted spreadsheets. Any organization utilizing FacturaScripts, particularly those where low-privilege users can modify records and administrators regularly export data, is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-45263 immediately by updating FacturaScripts to a version where the vulnerability is resolved or by applying the recommended code fix provided in the GitHub advisory.</li>
<li>Deploy the provided Sigma rule to detect suspicious process creation activities originating from spreadsheet applications, which could indicate successful CSV formula injection exploitation.</li>
<li>Enable comprehensive <code>process_creation</code> logging on all endpoint detection and response (EDR) agents to capture the <code>ParentImage</code> and <code>Image</code> fields for all executed processes, which is crucial for activating the rule above.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>csv-injection</category><category>web-application</category><category>rce</category><category>credential-theft</category><category>facturascripts</category></item></channel></rss>