CVE-2026-23997

FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*

History

23 Feb 2026, 15:07

Type	Values Removed	Values Added
Summary		(es) FacturaScripts es un software de planificación de recursos empresariales y contabilidad de código abierto. En la versión 2025.71 y anteriores, se descubrió una vulnerabilidad de cross-site scripting (XSS) almacenado en el campo Observaciones. La falla ocurre en la vista Historial, donde los datos históricos se renderizan sin la codificación adecuada de entidades HTML. Esto permite a un atacante ejecutar JavaScript arbitrario en el navegador de los administradores que visualizan el historial.
References	~~() https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h -~~	() https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h - Vendor Advisory, Exploit
First Time		Facturascripts Facturascripts facturascripts
CPE		cpe:2.3:a:facturascripts:facturascripts::::::::

02 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 23:16

Updated : 2026-02-23 15:07

NVD link : CVE-2026-23997

Mitre link : CVE-2026-23997

CVE.ORG link : CVE-2026-23997

JSON object : View

Products Affected

facturascripts

facturascripts

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-23997", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2026-02-02T23:16:07.347", "references": [{"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators."}, {"lang": "es", "value": "FacturaScripts es un software de planificaci\u00f3n de recursos empresariales y contabilidad de c\u00f3digo abierto. En la versi\u00f3n 2025.71 y anteriores, se descubri\u00f3 una vulnerabilidad de cross-site scripting (XSS) almacenado en el campo Observaciones. La falla ocurre en la vista Historial, donde los datos hist\u00f3ricos se renderizan sin la codificaci\u00f3n adecuada de entidades HTML. Esto permite a un atacante ejecutar JavaScript arbitrario en el navegador de los administradores que visualizan el historial."}], "lastModified": "2026-02-23T15:07:15.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4341C53-B996-439F-AE9E-42249F2A0D4E", "versionEndExcluding": "2025.71"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}