CVE-2026-42877 - Vulnerability Details

- FacturaScripts: Stored XSS via product reference in sales/purchases

Description

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.

Published: 2026-05-27

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE describes a stored Cross‑Site Scripting flaw in the product search modal of sales and purchases documents in FacturaScripts 2025.92 and earlier. An authenticated user with access to the warehouse module can create a product whose reference contains malicious JavaScript. When another authenticated user opens the product search modal, the script runs in that user’s browser, allowing arbitrary code execution.

Affected Systems

The flaw affects the NeoRazorX FacturaScripts application for versions 2025.92 and older. It is present in the product search modal used for sales and purchases documents and requires the warehouse module to be enabled as well as permissions to create products.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity and the necessity of authentication. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user who has permission to create products in the warehouse module; after inserting a malicious product reference, any other user who opens the search modal will have the script executed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NeoRazorX

facturascripts

affected

Version	Status	Constraints
`<= 2025.92`	affected	—

No data.

Vendor Product Confidence Versions

Neorazorx

Facturascripts

100%

Version	Status	Scheme	Platform
`[0,2025.92]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a FacturaScripts version newer than 2025.92 to remove the stored XSS flaw
If an immediate upgrade is not possible, restrict access to the warehouse module so that only trusted users can create products or disable the module for users who do not need it
Review existing product references and remove or sanitize any that contain JavaScript or script tags

Generated by OpenCVE AI on May 27, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-r736-2678-fcrx	FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00165.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-r736-2678-fcrx

History

Thu, 28 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Neorazorx Neorazorx facturascripts
Vendors & Products		Neorazorx Neorazorx facturascripts

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.
Title		FacturaScripts: Stored XSS via product reference in sales/purchases
Weaknesses		CWE-79
References		https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-r736-2678-fcrx
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Neorazorx Facturascripts

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T18:37:06.291Z

Updated: 2026-05-28T15:15:20.904Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42877

Vulnrichment

Updated: 2026-05-28T15:14:06.784Z

NVD

Status : Deferred

Published: 2026-05-27T20:16:36.673

Modified: 2026-06-17T10:48:33.053

Link: CVE-2026-42877

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T04:15:06Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object