Vulnerability Description
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
Related Weaknesses (CWE)
References
- https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-v
- https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-v
FAQ
What is CVE-2026-32699?
CVE-2026-32699 is a documented vulnerability. FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controll...
How severe is CVE-2026-32699?
CVSS scoring is not yet available for CVE-2026-32699. Check NVD for updates.
Is there a patch for CVE-2026-32699?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.