Vulnerability Description
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Facturascripts | Facturascripts | < 2025.8 |
Related Weaknesses (CWE)
References
- https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d860Patch
- https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8Release Notes
- https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-23476?
CVE-2026-23476 is a vulnerability with a CVSS score of 5.4 (MEDIUM). FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Tw...
How severe is CVE-2026-23476?
CVE-2026-23476 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23476?
Check the references section above for vendor advisories and patch information. Affected products include: Facturascripts Facturascripts.