Neorazorx Facturascripts vulnerabilities
13 known vulnerabilities affecting neorazorx/facturascripts.
Total CVEs
13
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM7LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-25513P2HIGHCVSS 8.8fixed in 2025.812026-02-04
CVE-2026-25513 [HIGH] CWE-20 CVE-2026-25513: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method wher
nvd
CVE-2025-69210P3MEDIUMCVSS 5.4PoCfixed in 2025.72025-12-30
CVE-2025-69210 [MEDIUM] CWE-79 CVE-2025-69210: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without suf
nvd
CVE-2026-25514P3HIGHCVSS 8.8fixed in 2025.812026-02-04
CVE-2026-25514 [HIGH] CWE-20 CVE-2026-25514: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored
nvd
CVE-2026-27891P3HIGHCVSS 7.2fixed in 2026.12026-05-18
CVE-2026-27891 [HIGH] CWE-20 CVE-2026-27891: FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RC
nvd
CVE-2026-23997P3CRITICALCVSS 9.0≤ 2025.712026-02-02
CVE-2026-23997 [CRITICAL] CWE-79 CVE-2026-23997: FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and e
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitra
nvd
CVE-2026-42879P3MEDIUMCVSS 6.3≤ 2025.812026-05-27
CVE-2026-42879 [MEDIUM] CWE-94 CVE-2026-42879: FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authe
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The
nvd
CVE-2026-27892P3MEDIUMCVSS 6.5fixed in 20262026-05-18
CVE-2026-27892 [MEDIUM] CWE-200 CVE-2026-27892: FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the L
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information,
nvd
CVE-2026-32699P3MEDIUMCVSS 5.3≤ 2025.922026-05-05
CVE-2026-32699 [MEDIUM] CWE-472 CVE-2026-32699: FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier,
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form
nvd
CVE-2026-42878P4MEDIUMCVSS 5.3fixed in v20262026-05-27
CVE-2026-42878 [MEDIUM] CWE-200 CVE-2026-42878: FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticat
FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (inclu
nvd
CVE-2026-42877P4MEDIUMCVSS 5.4≤ 2025.922026-05-27
CVE-2026-42877 [MEDIUM] CWE-79 CVE-2026-42877: FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module
nvd
CVE-2026-23476P4MEDIUMCVSS 5.4fixed in 2025.82026-02-02
CVE-2026-23476 [MEDIUM] CWE-79 CVE-2026-23476: FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8,
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error m
nvd
CVE-2022-1457P4CRITICAL≥ 0, < 2022.042022-04-26
CVE-2022-1457 [CRITICAL] CWE-79 Cross site scripting in facturascripts
Cross site scripting in facturascripts
facturasripts is an open source ERP software. Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as autho
ghsaosv
CVE-2026-27964P4LOWCVSS 3.9fixed in 2025.82026-05-18
CVE-2026-27964 [LOW] CWE-79 CVE-2026-27964: FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contai
FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie is rendered into the DOM without encoding. While the ser
nvd