CVE-2026-42879: FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

May 7, 2026 (updated June 8, 2026)

An authenticated unrestricted file upload vulnerability exists in FacturaScripts’ product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php.

References

github.com/NeoRazorX/facturascripts/security/advisories/GHSA-vf3q-frmr-vrr9
github.com/advisories/GHSA-vf3q-frmr-vrr9
nvd.nist.gov/vuln/detail/CVE-2026-42879

Code Behaviors & Features

Detect and mitigate CVE-2026-42879 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →