Reflected Cross-Site Scripting Vulnerability in FacturaScripts Accounting Software
CVE-2026-27964

3.9LOW

Key Information:

Vendor: Neorazorx
Status: Facturascripts
Vendor: CVE Published:; 18 May 2026

What is CVE-2026-27964?

FacturaScripts, an open-source accounting and invoicing software, contains a vulnerability that allows for reflected Cross-Site Scripting (XSS) via the fsNick cookie parameter. The flaw occurs when the application directly reflects the value of this cookie into the HTML without proper sanitization or encoding. Although the server takes steps to reject unauthorized sessions and enforce a logout, the malicious payload can still execute in the user's browser prior to any redirection. This security issue has been addressed in version 2025.8 of FacturaScripts.

Affected Version(s)

facturascripts < 2025.8

References

https://github.com/NeoRazorX/facturascripts/security/advi...

x_refsource_CONFIRM

https://github.com/NeoRazorX/facturascripts/commit/9066e1...

x_refsource_MISC

CVSS V3.1

Score:

3.9

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-27964 Data

JSON

Neorazorx

What is CVE-2026-27964?

Affected Version(s)

References

CVSS V3.1

Timeline