CVE-2026-42877
published 2026-05-27CVE-2026-42877: FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.17%
6.1th percentile
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facturascripts | facturascripts | 0 – 2025.92 | — |
| neorazorx | facturascripts | <= 2025.92 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NeoRazorX facturascripts up to 2025.92 Warehouse SalesModalHTML.php cross site scripting (EUVD-2026-32630)
vuldb·2026-05-27·CVSS 5.4
CVE-2026-42877 [MEDIUM] NeoRazorX facturascripts up to 2025.92 Warehouse SalesModalHTML.php cross site scripting (EUVD-2026-32630)
A vulnerability classified as problematic has been found in NeoRazorX facturascripts up to 2025.92. The impacted element is an unknown function in the library Core/Lib/AjaxForms/SalesModalHTML.php of the component Warehouse Module. This manipulation causes cross site scripting.
This vulnerability is registered as CVE-2026-42877. Remote exploitation of the attack is possible. No exploit is available.
GHSA
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases
ghsa·2026-05-07
CVE-2026-42877 [MEDIUM] CWE-79 FacturaScripts vulnerable to stored XSS via product reference in sales/purchases
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases
## Summary
A stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.
## Affected files
- `Core/Lib/AjaxForms/SalesModalHTML.php`
- `Core/Lib/AjaxForms/PurchasesModalHTML.php`
## Vulnerability details
The `referencia` field of a product variant is injected directly into an HTML `onclick` attribute string without JavaScript context escaping:
```php
// SalesModalHTML.php ~line 102
$tbody .= '';
```
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published