CVE-2026-32699

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vulnerability Description

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.

Vulnerability Details

Published Date

April 28, 2026

Last Modified

May 06, 2026

CWE ID

CWE-472

Source

GitHub

Vendor

composer

Product

facturascripts/facturascripts

External References

https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3
https://github.com/advisories/GHSA-pp79-hqv6-vmc3

CVE-2026-32699

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment