CVE-2026-23476

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3	Patch
https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8	Release Notes
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4	Exploit Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-02 23:16

Updated : 2026-02-23 15:32

NVD link : CVE-2026-23476

Mitre link : CVE-2026-23476

CVE.ORG link : CVE-2026-23476

JSON object : View

Products Affected

facturascripts

facturascripts

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-23476", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-02-02T23:16:07.030", "references": [{"url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8."}, {"lang": "es", "value": "FacturaScripts es un software de planificaci\u00f3n de recursos empresariales y contabilidad de c\u00f3digo abierto. Antes de la versi\u00f3n 2025.8, exist\u00eda un fallo de XSS reflejado en FacturaScripts. El problema radica en c\u00f3mo se muestran los mensajes de error. Se utiliza el filtro |raw de Twig, lo que omite el escape de HTML. Al activar un error de base de datos (como pasar una cadena donde se espera un n\u00famero entero), el mensaje de error incluye la entrada y se renderiza sin sanitizaci\u00f3n. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2025.8."}], "lastModified": "2026-02-23T15:32:54.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "258F0619-F363-4A25-9BA2-18D2FA4C8576", "versionEndExcluding": "2025.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}