THREAT OPS › Threat News › [GHSA] GHSA-c67f-gmxw-mj93 (critical) — FacturaScripts: Account takeover of any 2FA-enabled user
[GHSA] GHSA-c67f-gmxw-mj93 (critical) — FacturaScripts: Account takeover of any 2FA-enabled user
GHSA-c67f-gmxw-mj93 Severity: critical CVE: CVE-2026-47677
FacturaScripts: Account takeover of any 2FA-enabled user
# Authentication bypass in FacturaScripts: `/login?action=two-factor-validation` accepts brute-forceable TOTP without password or CSRF protection
## Summary
`Core/Controller/Login.php::twoFactorValidationAction()` accepts an unauthenticated POST containing only `fsNick` and `fsTw
Indicators of compromise
- CVE-2026-47677cve
Original source: https://github.com/advisories/GHSA-c67f-gmxw-mj93