THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-cv65-7cg8-r623 (high) — FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents

[GHSA] GHSA-cv65-7cg8-r623 (high) — FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents

medgithub_advisoriesPublished 2026-07-14

GHSA-cv65-7cg8-r623 Severity: high CVE: CVE-2026-45693

FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents

### Summary

The static file controllers in FacturaScripts decide whether a request is authorized by looking at the URL string instead of the canonical filesystem path. A request that starts with an allow-listed folder name but contains

Indicators of compromise

Original source: https://github.com/advisories/GHSA-cv65-7cg8-r623