CVE-2026-27892: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in NeoRazorX facturascripts
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts' image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026.
AI Analysis
Technical Summary
FacturaScripts, an open source accounting and invoicing software by NeoRazorX, had a vulnerability (CVE-2026-27892) in versions before 2026 where the Library module stored and served uploaded images without removing embedded EXIF/XMP/IPTC metadata. This metadata included sensitive information such as GPS coordinates, device information, timestamps, comments, and thumbnails. Any authenticated user with download access to the Library module could extract this data, leading to exposure of personally identifiable information. The vulnerability arises from the combination of unrestricted uploads, persistent storage, authenticated download access, and lack of server-side metadata sanitization. The issue is resolved in version 2026.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive metadata embedded in images uploaded to the Library module. This can lead to privacy breaches, such as revealing precise physical locations (e.g., home addresses) of employees or other individuals who uploaded images. The confidentiality of personal information is compromised, but there is no indication of impact on integrity or availability. The CVSS score of 6.5 reflects a medium severity with high confidentiality impact and low complexity for exploitation by authenticated users.
Mitigation Recommendations
This vulnerability is fixed in FacturaScripts version 2026. Users should upgrade to version 2026 or later to ensure that image metadata is properly sanitized on upload. Since no official patch link or advisory is provided, verify the upgrade availability from the vendor's official channels. Until upgraded, restrict Library module download access to trusted users only and consider manual metadata removal before uploading images.
CVE-2026-27892: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in NeoRazorX facturascripts
Description
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts' image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FacturaScripts, an open source accounting and invoicing software by NeoRazorX, had a vulnerability (CVE-2026-27892) in versions before 2026 where the Library module stored and served uploaded images without removing embedded EXIF/XMP/IPTC metadata. This metadata included sensitive information such as GPS coordinates, device information, timestamps, comments, and thumbnails. Any authenticated user with download access to the Library module could extract this data, leading to exposure of personally identifiable information. The vulnerability arises from the combination of unrestricted uploads, persistent storage, authenticated download access, and lack of server-side metadata sanitization. The issue is resolved in version 2026.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive metadata embedded in images uploaded to the Library module. This can lead to privacy breaches, such as revealing precise physical locations (e.g., home addresses) of employees or other individuals who uploaded images. The confidentiality of personal information is compromised, but there is no indication of impact on integrity or availability. The CVSS score of 6.5 reflects a medium severity with high confidentiality impact and low complexity for exploitation by authenticated users.
Mitigation Recommendations
This vulnerability is fixed in FacturaScripts version 2026. Users should upgrade to version 2026 or later to ensure that image metadata is properly sanitized on upload. Since no official patch link or advisory is provided, verify the upgrade availability from the vendor's official channels. Until upgraded, restrict Library module download access to trusted users only and consider manual metadata removal before uploading images.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T15:19:29.717Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0c25c6ec166c07b08770af
Added to database: 5/19/2026, 8:56:38 AM
Last enriched: 5/19/2026, 8:56:49 AM
Last updated: 5/20/2026, 6:20:10 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.