CVE-2026-23997

{"id": "CVE-2026-23997", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-23997", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T15:06:16.299874Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "NeoRazorX", "product": "facturascripts", "versions": [{"status": "affected", "version": "<= 2025.71"}]}]}], "published": "2026-02-02T23:16:07.347", "references": [{"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators."}, {"lang": "es", "value": "FacturaScripts es un software de planificaci\u00f3n de recursos empresariales y contabilidad de c\u00f3digo abierto. En la versi\u00f3n 2025.71 y anteriores, se descubri\u00f3 una vulnerabilidad de cross-site scripting (XSS) almacenado en el campo Observaciones. La falla ocurre en la vista Historial, donde los datos hist\u00f3ricos se renderizan sin la codificaci\u00f3n adecuada de entidades HTML. Esto permite a un atacante ejecutar JavaScript arbitrario en el navegador de los administradores que visualizan el historial."}], "lastModified": "2026-06-17T10:22:27.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4341C53-B996-439F-AE9E-42249F2A0D4E", "versionEndExcluding": "2025.71"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}