Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2026-27891— Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism

CVSS 7.2 · High EPSS 0.11% · P29

Affected Version Matrix 1

VendorProductVersion RangeStatus
NeoRazorXfacturascripts< 2026.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-27891

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
Source: NVD (National Vulnerability Database)
Vulnerability Description
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
NeoRazorXfacturascripts < 2026.1 -

II. Public POCs for CVE-2026-27891

#POC DescriptionSource LinkShenlong Link
AI-Generated POCVerified env Premium
Real sandbox recording· Watch the recording below to confirm the POC actually triggers the vulnerability.
Sandbox build & launch
Qwen3.6-35B-A3B · 10012 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-27891

登录查看更多情报信息。

Same Patch Batch · NeoRazorX · 2026-05-18 · 3 CVEs total

CVE-2026-278926.5 MEDIUMFacturaScripts: Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Do
CVE-2026-279643.9 LOWFacturaScripts: Reflected Cross-Site Scripting (XSS) via Cookie Manipulation

IV. Related Vulnerabilities

Same product: facturascripts
Same vendor: NeoRazorX
Same weakness: CWE-20

V. Comments for CVE-2026-27891

No comments yet

Leave a comment