CVE-2026-42878: FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

May 7, 2026 (updated June 8, 2026)

An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated.

References

github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vrxf-vrc4-22p7
github.com/advisories/GHSA-vrxf-vrc4-22p7
nvd.nist.gov/vuln/detail/CVE-2026-42878

Code Behaviors & Features

Detect and mitigate CVE-2026-42878 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →