The vulnerability is a reflected cross‑site scripting flaw in the A3factura web platform. When an attacker inserts malicious code into the ‘name’ parameter of the endpoint used by the application’s customers page, the input is reflected unescaped back into the page and can be executed by any user who visits the crafted URL. This flaw can allow an attacker to run arbitrary code in a victim’s browser. Based on the description, it is inferred that potential abuses could include session hijacking, data theft, or defacement, but the CVE details do not explicitly state these outcomes.

A3factura software, versions 4.111.2‑rev.1 and earlier, including the version delivered under the Wolters Kluwer brand, is affected. The flaw is present in the URL path ‘a3factura‑app.wolterskluwer.es/#/incomes/customers’ when the parameter ‘name’ is supplied. The fixed patch is released in version 4.114.0‑rev.6, issued on 17 February 2026.

The CVSS score of 4.8 indicates moderate severity for a harmless‑looking XSS that requires user interaction. The EPSS suggests a very low likelihood of exploitation (<1%), and the vulnerability is not currently listed in the CISA KEV catalog. Still, because the flaw can be triggered by a malicious link, attackers could entice users to click it, making this a low‑probability but fully remote attack vector that requires only a HTTP request containing the malicious input.