CVE-2026-23476 | THREATINT

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-02 | Updated 2026-02-03 | Assigner GitHub_M

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 2025.8

affected

References

github.com/...cripts/security/advisories/GHSA-g6w2-q45f-xrp4

github.com/...ommit/2afd98cecd26c5f8357e0e321d86063ad1012fc3

github.com/NeoRazorX/facturascripts/releases/tag/v2025.8

cve.org (CVE-2026-23476)

nvd.nist.gov (CVE-2026-23476)

Download JSON