CVE-2026-23997
published 2026-02-02CVE-2026-23997: FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability…
PriorityP343critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.39%
30.3th percentile
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facturascripts | facturascripts | < 2025.71 | 2025.71 |
| facturascripts | facturascripts | 0 – 2025.71 | — |
| neorazorx | facturascripts | <= 2025.71 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
osv·2026-02-02
CVE-2026-23997 [HIGH] FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
### Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
### Details
When an administrator views the History tab of that specific note, the script executes in their browser session.
### PoC
1. Log in as a regular user.
2. Open "Sales"=>"Customers"=> "Delivery Notes"
3. Chose one of the customer or create the new one.
4. Open "Delivery notes"
5. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with
GHSA
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
ghsa·2026-02-02
CVE-2026-23997 [HIGH] CWE-79 FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
### Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
### Details
When an administrator views the History tab of that specific note, the script executes in their browser session.
### PoC
1. Log in as a regular user.
2. Open "Sales"=>"Customers"=> "Delivery Notes"
3. Chose one of the customer or create the new one.
4. Open "Delivery notes"
5. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with
No detection rules found.
No public exploits indexed.
2026-02-02
Published