Description
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
Published: 2026-02-02
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting allowing arbitrary JavaScript to run in the browsers of administrators viewing invoice history
Action: Patch immediately
AI Analysis

Impact

A stored Cross‑Site Scripting flaw is present in the Observations field of the History view. Historical data is rendered without proper HTML entity encoding, enabling an attacker to insert malicious JavaScript that executes when an administrator opens the history screen. The immediate effect is the ability to run code in the context of the administrator’s browser, which can lead to session hijacking, data exfiltration, or further compromise of the application. The vulnerability directly affects the confidentiality, integrity, and availability of managerial data and the user session.

Affected Systems

The software affected is FacturaScripts, produced by NeoRazorX, specifically versions 2025.71 and earlier. Upgrading beyond 2025.71 removes the flaw.

Risk and Exploitability

The CVSS score of 8 categorizes this vulnerability as high severity; the EPSS score is under 1%, indicating a low probability of exploitation at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers need to inject code into the Observations field to place the payload, which likely requires user privileges that allow adding or editing history entries. Once the payload is stored, any administrator who views the history will have their browser's script engine execute the injected code. The primary attack vector is the web application interface, with precedence on successful authentication and permission to view history.

Generated by OpenCVE AI on April 18, 2026 at 00:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest FacturaScripts release that omits the issue (versions newer than 2025.71).
  • Implement proper input validation and HTML entity encoding for all data displayed in the History view to neutralize any stored scripts.
  • Restrict the History view to administrator accounts only, ensuring that only trusted users can access potentially vulnerable content.

Generated by OpenCVE AI on April 18, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4v7v-7v7r-3r5h FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
History

Mon, 23 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Facturascripts
Facturascripts facturascripts
Neorazorx
Neorazorx facturascripts
Vendors & Products Facturascripts
Facturascripts facturascripts
Neorazorx
Neorazorx facturascripts

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
Title FacturaScripts has a Stored Cross-Site Scripting (XSS) in "Observations" field via History View
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Facturascripts Facturascripts
Neorazorx Facturascripts
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:06:30.329Z

Reserved: 2026-01-19T18:49:20.658Z

Link: CVE-2026-23997

cve-icon Vulnrichment

Updated: 2026-02-03T15:06:25.861Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:07.347

Modified: 2026-02-23T15:07:15.160

Link: CVE-2026-23997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses