CVE-2026-23476
published 2026-02-02CVE-2026-23476: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.26%
16.7th percentile
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facturascripts | facturascripts | < 2025.8 | 2025.8 |
| facturascripts | facturascripts | >= 0 < 2025.81 | 2025.81 |
| neorazorx | facturascripts | < 2025.8 | 2025.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FacturaScripts is Vulnerable to Reflected XSS
osv·2026-02-02
CVE-2026-23476 [MEDIUM] FacturaScripts is Vulnerable to Reflected XSS
FacturaScripts is Vulnerable to Reflected XSS
# Reflected XSS via SQL Error Messages
## Summary
A reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it's using Twig's `| raw` filter which skips HTML escaping. When a database error is triggered (like passing a string where an integer is expected), the error message includes all input and gets rendered without sanitization.
Attackers can use this to phish credentials from other users since HttpOnly is set on cookies (so stealing cookies directly won't work, but attackers can inject a fake login form).
**CVSS 6.1 (Medium-High)**
---
## What was Found
### Where the bug exists in the code:
`Core/View/Macro/Utils.html.twig`, line 27:
```twig
{% for item in messages %}
{{ item.messag
GHSA
FacturaScripts is Vulnerable to Reflected XSS
ghsa·2026-02-02
CVE-2026-23476 [MEDIUM] CWE-79 FacturaScripts is Vulnerable to Reflected XSS
FacturaScripts is Vulnerable to Reflected XSS
# Reflected XSS via SQL Error Messages
## Summary
A reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it's using Twig's `| raw` filter which skips HTML escaping. When a database error is triggered (like passing a string where an integer is expected), the error message includes all input and gets rendered without sanitization.
Attackers can use this to phish credentials from other users since HttpOnly is set on cookies (so stealing cookies directly won't work, but attackers can inject a fake login form).
**CVSS 6.1 (Medium-High)**
---
## What was Found
### Where the bug exists in the code:
`Core/View/Macro/Utils.html.twig`, line 27:
```twig
{% for item in messages %}
{{ item.messag
No detection rules found.
No public exploits indexed.
2026-02-02
Published