CVE-2026-32699

Summary

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.

Affected Software

VendorProductVersion RangeStatus
NeoRazorXfacturascripts<= 2025.92affected

Weaknesses

  • CWE-472: CWE-472: External Control of Assumed-Immutable Web Parameter

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References