CVE-2026-32699

FacturaScripts unauthorized modification of immutable nick field via EditUser controller

Description

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.

INFO

Published Date :

2026-05-05T19:00:19.957Z

Last Modified :

2026-05-05T19:44:45.408Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-32699 vulnerability.

Vendors	Products
Neorazorx	Facturascripts

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32699.

URL	Resource
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability