Description
Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.
Published: 2026-02-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via Reflective XSS
Action: Apply Patch
AI Analysis

Impact

A3factura’s web platform contains a reflected Cross‑Site Scripting flaw that appears when a malicious value is supplied in the ‘customerName’ parameter on the /incomes/salesInvoices endpoint. Because the input is echoed back without proper encoding, a crafted request can cause the victim’s browser to execute arbitrary JavaScript. This vulnerability enables an attacker to run code within the victim’s session but does not affect the server directly.

Affected Systems

The affected product is A3factura version 4.111.2‑rev.1, released by A3factura and its partner Wolters Kluwer. A security fix was deployed in version 4.114.0‑rev.6 on 17 Feb 2026. Users running any earlier releases remain vulnerable.

Risk and Exploitability

The CVSS score of 4.8 classifies the flaw as moderate, while the EPSS score of < 1 % indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice a victim to click a crafted link or submit a form that injects a malicious ‘customerName’ value; the attack is limited to the victim’s browser and does not facilitate higher‑level compromise or server‑side damage.

Generated by OpenCVE AI on April 18, 2026 at 10:23 UTC.

Remediation

Vendor Solution

The fix has been deployed in production in version 4.114.0-rev.6, released on 17/02/2026.

OpenCVE Recommended Actions

  • Upgrade A3factura to version 4.114.0‑rev.6, which contains the necessary patch.
  • Deploy a Content Security Policy that restricts the sources of executable scripts to mitigate reflected XSS until the update is applied.
  • Apply proper output encoding or input validation on the ‘customerName’ parameter and any other user‑supplied data to prevent characters from being treated as executable code.

Generated by OpenCVE AI on April 18, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolterskluwer
Wolterskluwer a3factura
CPEs cpe:2.3:a:wolterskluwer:a3factura:4.111.2:rev.1:*:*:*:*:*:*
Vendors & Products Wolterskluwer
Wolterskluwer a3factura
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.
Title Multiple vulnerabilities in A3factura software
First Time appeared A3factura
A3factura a3factura
Weaknesses CWE-79
CPEs cpe:2.3:a:a3factura:a3factura:4.111.2-rev.1:*:*:*:*:*:*:*
Vendors & Products A3factura
A3factura a3factura
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

A3factura A3factura
Wolterskluwer A3factura
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-26T14:06:26.035Z

Reserved: 2026-02-18T11:25:13.322Z

Link: CVE-2026-2679

cve-icon Vulnrichment

Updated: 2026-02-26T14:05:36.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T13:16:17.080

Modified: 2026-03-02T16:58:13.873

Link: CVE-2026-2679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses