Reflected XSS Vulnerability in FacturaScripts by NeoRazorX
CVE-2026-23476

5.4MEDIUM

Key Information:

Vendor

Neorazorx

Status
Facturascripts
Vendor
CVE Published:
2 February 2026

What is CVE-2026-23476?

FacturaScripts, an open-source enterprise resource planning and accounting software, is vulnerable to a reflected Cross-Site Scripting (XSS) flaw due to improper handling of error messages. This vulnerability arises when the software displays error messages using Twig's | raw filter, which does not perform HTML escaping. Consequently, if a user triggers a database error—such as entering a string where an integer is expected—the error message incorporates the unsanitized input. This flaw was addressed in version 2025.8, providing users with a necessary patch to safeguard against potential exploitation.

Affected Version(s)

facturascripts < 2025.8

References

https://github.com/NeoRazorX/facturascripts/security/advi...
x_refsource_CONFIRM
https://github.com/NeoRazorX/facturascripts/commit/2afd98...
x_refsource_MISC
https://github.com/NeoRazorX/facturascripts/releases/tag/...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.