Tag
An authentication bypass vulnerability (CVE-2026-47677) in FacturaScripts' `/login?action=two-factor-validation` endpoint allows unauthenticated attackers to conduct a brute-force attack against Time-based One-Time Passwords (TOTP) for any 2FA-enabled user, including administrators, due to the absence of password verification, CSRF protection, and rate-limiting, leading to complete account takeover with high confidentiality and integrity impact, as well as potential denial of service via account lockout.