CVE-2026-42877 | THREATINT

Description

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-27 | Updated 2026-05-28 | Assigner GitHub_M

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

<= 2025.92

affected

References

github.com/...cripts/security/advisories/GHSA-r736-2678-fcrx exploit

github.com/...cripts/security/advisories/GHSA-r736-2678-fcrx

cve.org (CVE-2026-42877)

nvd.nist.gov (CVE-2026-42877)

Download JSON