Improper access control in FacturaScripts - CVE-2026-32699
Published: April 28, 2026
Vulnerability identifier: #VU128314
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32699
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Carlos Garcia
Affected software:
FacturaScripts
FacturaScripts
Detailed vulnerability description
The vulnerability allows a remote user to modify user account identifiers.
The vulnerability exists due to improper access control in the EditUser controller when handling POST requests that include the nick parameter. A remote user can send a specially crafted request to modify user account identifiers.
The nick field is intended to be immutable in the user interface, but the backend still processes modified values.
How to mitigate CVE-2026-32699
Install security update from vendor's website.