Please report security vulnerabilities privately using GitHub's Report a vulnerability button. Do not open public issues for security matters.

We aim to acknowledge reports within 5 business days.

Only the latest stable release of FacturaScripts receives security fixes.

• Vulnerabilities exploitable by an unauthenticated attacker.
• Vulnerabilities that allow a low-privilege authenticated user (e.g. a regular employee role) to gain privileges they should not have, access other users' data, or compromise the server.
• SQL injection, stored XSS affecting other users, authentication bypass, CSRF on state-changing endpoints, insecure direct object references, path traversal reachable without admin privilege, and similar.

The following are not considered vulnerabilities and reports will be closed without action:

1. Administrator-to-RCE via the plugin system. Administrators can install plugins, and plugins contain PHP code that executes inside FacturaScripts. This is the documented, intentional purpose of the plugin system — it is not a privilege escalation, because the attacker must already be an administrator (the highest privilege inside the application). This mirrors the behavior of WordPress, PrestaShop, Magento, Moodle, Drupal, Joomla and essentially every extensible PHP application, and is consistently rejected as "admin-to-RCE by design" by MITRE (CVE assignment) and GitHub Security Advisories. Protect the administrator account; do not expect the application to restrict what administrators can do.

2. Any finding whose PoC requires an administrator account, including but not limited to: uploading themes/plugins/backups, editing settings that accept code or templates, importing data, running maintenance tools, or executing SQL through admin-only interfaces.

3. Self-XSS (the attacker injects a payload into their own session).

4. Vulnerabilities caused by server misconfiguration, such as running PHP-FPM/Apache/nginx as root, world-writable directories, missing TLS, or exposing .git/ publicly. These are deployment issues, not application issues.

5. Missing security headers, cookie flags, or best-practice hardening without a demonstrated exploit.

6. Clickjacking on pages without sensitive state-changing actions.

7. Denial of service via resource exhaustion, large payloads, or regex complexity, unless a clearly disproportionate amplification is shown.

8. Vulnerabilities in third-party dependencies — please report those to the upstream project. We track advisories via Composer and update dependencies on release.

9. Reports generated by automated scanners without a working proof-of-concept demonstrating real impact.

10. Social engineering, physical attacks, and attacks against FacturaScripts infrastructure (our hosting, email, accounts).

Researchers who report valid, in-scope vulnerabilities will be credited in the release notes of the fixed version, unless they prefer to remain anonymous.