CVE-2026-32699— FacturaScripts unauthorized modification of immutable nick field via EditUser controller
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-32699
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FacturaScripts unauthorized modification of immutable nick field via EditUser controller
Source: NVD (National Vulnerability Database)
Vulnerability Description
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对假设不可变Web参数的外部可控制
Source: NVD (National Vulnerability Database)
Vulnerability Title
FacturaScripts 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FacturaScripts是西班牙Carlos Garcia个人开发者的一个开源 ERP 软件。 FacturaScripts 2025.92及之前版本存在安全漏洞,该漏洞源于未验证EditUser控制器POST请求中的nick参数,可能导致未经授权修改账户。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| NeoRazorX | facturascripts | <= 2025.92 | - |
II. Public POCs for CVE-2026-32699
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-32699
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: facturascripts
- CVE-2026-25513
FacturaScripts has SQL Injection vulnerability in API ORDER - CVE-2026-25514
FacturaScripts has SQL Injection vulnerability in Autocomple - CVE-2026-23476
FacturaScripts Affected by Reflected XSS - CVE-2026-23997
FacturaScripts has a Stored Cross-Site Scripting (XSS) in "O - CVE-2025-69210
FacturaScripts vulnerable to Stored Cross-Site Scripting (XS
Same vendor: NeoRazorX
- CVE-2026-25513
FacturaScripts has SQL Injection vulnerability in API ORDER - CVE-2026-25514
FacturaScripts has SQL Injection vulnerability in Autocomple - CVE-2026-23476
FacturaScripts Affected by Reflected XSS - CVE-2026-23997
FacturaScripts has a Stored Cross-Site Scripting (XSS) in "O - CVE-2025-69210
FacturaScripts vulnerable to Stored Cross-Site Scripting (XS
V. Comments for CVE-2026-32699
No comments yet