CVE-2026-32699
published 2026-05-05CVE-2026-32699: FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter…
PriorityP336medium5.3CVSS 4.0
AVNACLATNPRLUINVCNVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.33%
24.7th percentile
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facturascripts | facturascripts | 0 – 2024.92.x-dev | — |
| neorazorx | facturascripts | <= 2025.92 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NeoRazorX facturascripts up to 2025.92 User Interface nick external control of assumed-immutable web parameter (EUVD-2026-27438)
vuldb·2026-05-05·CVSS 5.3
CVE-2026-32699 [MEDIUM] NeoRazorX facturascripts up to 2025.92 User Interface nick external control of assumed-immutable web parameter (EUVD-2026-27438)
A vulnerability marked as problematic has been reported in NeoRazorX facturascripts up to 2025.92. The impacted element is an unknown function of the component User Interface. This manipulation of the argument nick causes external control of assumed-immutable web parameter.
This vulnerability is registered as CVE-2026-32699. Remote exploitation of the attack is possible. No exploit is available.
GHSA
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field
ghsa·2026-04-28
CVE-2026-32699 [MEDIUM] CWE-284 FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field
### Summary
The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption.
### Details
The vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable.
### PoC
***1.*** Log in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-05
Published