The vulnerability is a reflected XSS that occurs in the A3factura web platform when a malicious script is supplied in the customerVATNumber parameter of the incomes/salesDeliveryNotes endpoint. The script is reflected back into the browser’s response and executed with the privileges of the affected user, allowing attackers to run arbitrary client‑side code such as stealing session data or redirecting to malicious sites. Because the injection is reflected, an attacker must embed the payload in a URL that the victim eventually visits.

This flaw affects the A3factura product, version 4.111.2‑rev.1 and earlier releases until the fix is applied. The vendor has released a corrective update in version 4.114.0‑rev.6, available as of 17 February 2026, which removes the vulnerability.

The CVSS score of 4.8 indicates a medium risk severity, while the EPSS score of less than 1 % reflects a very low exploitation probability in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to visit a crafted URL, making it a remote code execution vectors only within the victim’s browser. The risk is therefore moderate but unlikely to be widely leveraged unless an attacker can target a specific user base with tailored phishing campaigns.