Medium severityGHSA Advisory· Published May 5, 2026· Updated May 6, 2026

CVE-2026-32699

Description

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
facturascripts/facturascriptsPackagist	<= 2024.92.x-dev	—

Affected products

Neorazorx/FacturascriptsGHSA
Range: <= 2024.92.x-dev

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-pp79-hqv6-vmc3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-32699ghsaADVISORY
github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000