FacturaScripts CVE-2026-27891: Critical Zip Slip Leads to RCE

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-20cwe-434
FacturaScripts CVE-2026-27891: Critical Zip Slip Leads to RCE

The National Vulnerability Database has disclosed CVE-2026-27891, a critical Zip Slip vulnerability affecting FacturaScripts versions 2026 and below. This flaw, residing in the Plugins::add() function, stems from improper validation of file paths within uploaded ZIP archives. Attackers can exploit this to achieve arbitrary file write and ultimately remote code execution (RCE) by overwriting sensitive .php files outside the intended plugin directory.

The core issue lies in the testZipFile function’s insufficient sanitization. While it attempts to ensure a single root folder in the ZIP, it fails to validate individual file paths. An attacker can bypass this check by crafting a file path like ValidPluginName/../../shell.php. The explode function will incorrectly identify ValidPluginName as the root, satisfying the validation, but during extraction, the ../../ sequence triggers a path traversal, allowing the attacker to write files anywhere the web server has permissions within the root directory.

This vulnerability carries a CVSS score of 7.2 (HIGH), indicating significant risk. It’s a textbook example of CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The fix is available in FacturaScripts version 2026.1, and immediate patching is crucial to prevent exploitation.

What This Means For You

  • If your organization uses FacturaScripts, you must immediately verify your version. Any installation running FacturaScripts 2026 or older is vulnerable to arbitrary file write and remote code execution. Patch to version 2026.1 without delay. This isn't theoretical; an attacker can drop a web shell and own your server.

Related ATT&CK Techniques

T1505.003 Server Software Component Persistence T1078.004 Web Shells Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

FacturaScripts CVE-2026-27891: Zip Slip Arbitrary File Write to PHP

Sigma YAML — free preview 
title: FacturaScripts CVE-2026-27891: Zip Slip Arbitrary File Write to PHP
id: scw-2026-05-18-ai-1
status: experimental
level: critical
description: |
  Detects a POST request to the FacturaScripts /plugins/add endpoint with a URI query containing 'shell.php', indicative of a Zip Slip attack attempting to write a malicious PHP file outside the intended plugin directory, leading to RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-27891/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri|contains:
          - '/plugins/add'
      cs-uri-query|contains:
          - 'shell.php'
      sc-status:
          - '200'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-27891 RCE FacturaScripts versions 2026 and below
CVE-2026-27891 Path Traversal FacturaScripts Plugins::add() function in Plugins.php
CVE-2026-27891 Arbitrary File Write Zip Slip attack via crafted ZIP archive containing 'ValidPluginName/../../shell.php'

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma