Description
Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.
Published: 2026-02-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via reflected XSS
Action: Immediate Patch
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in the A3factura web application where the input parameter ‘name’ is echoed without proper encoding in the representative management page. If exploited, an attacker can embed malicious JavaScript that executes in the victim’s browser, enabling the execution of arbitrary code.

Affected Systems

The flaw is present in A3factura’s web platform, specifically on version 4.111.2‑rev.1 (both the A3factura and Wolters Kluwer distribution). Patch version 4.114.0‑rev.6 contains the remediation and was released on 17 February 2026.

Risk and Exploitability

The CVSS score is 4.8, indicating a low severity risk. The EPSS score is below 1%, implying a very low probability of active exploitation, and the entry is not listed in the CISA KEV catalog. The attack vector is likely a benign‑looking URL that a victim is tricked into visiting; no authentication or privileged access is required. An attacker can target any user who visits the crafted link, while the damage is confined to the victim’s browser session.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Remediation

Vendor Solution

The fix has been deployed in production in version 4.114.0-rev.6, released on 17/02/2026.

OpenCVE Recommended Actions

  • Update the A3factura installation to version 4.114.0‑rev.6 or later, which incorporates the XSS fix.
  • Reduce the exposure of the /incomes/representatives-management endpoint by requiring authentication or restricting it to internal users only.
  • Implement input validation and output encoding for the ‘name’ parameter to prevent reflected XSS, following CWE‑79 remediation guidelines.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Wolterskluwer
Wolterskluwer a3factura
CPEs cpe:2.3:a:wolterskluwer:a3factura:4.111.2:rev.1:*:*:*:*:*:*
Vendors & Products Wolterskluwer
Wolterskluwer a3factura
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.
Title Multiple vulnerabilities in A3factura software
First Time appeared A3factura
A3factura a3factura
Weaknesses CWE-79
CPEs cpe:2.3:a:a3factura:a3factura:4.111.2-rev.1:*:*:*:*:*:*:*
Vendors & Products A3factura
A3factura a3factura
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

A3factura A3factura
Wolterskluwer A3factura
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-26T14:13:41.794Z

Reserved: 2026-02-18T11:13:26.456Z

Link: CVE-2026-2677

cve-icon Vulnrichment

Updated: 2026-02-26T14:12:31.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T13:16:16.740

Modified: 2026-03-02T17:15:51.550

Link: CVE-2026-2677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses