{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T15:47:41.626Z", "datePublished": "2026-02-02T20:49:05.731Z", "dateUpdated": "2026-02-03T15:33:51.348Z"}, "containers": {"cna": {"title": "FacturaScripts Affected by Reflected XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4"}, {"name": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3", "tags": ["x_refsource_MISC"], "url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3"}, {"name": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8"}], "affected": [{"vendor": "NeoRazorX", "product": "facturascripts", "versions": [{"version": "< 2025.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T20:49:05.731Z"}, "descriptions": [{"lang": "en", "value": "FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8."}], "source": {"advisory": "GHSA-g6w2-q45f-xrp4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:33:36.983717Z", "id": "CVE-2026-23476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:33:51.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:33:36.983717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:33:47.336Z"}}], "cna": {"title": "FacturaScripts Affected by Reflected XSS", "source": {"advisory": "GHSA-g6w2-q45f-xrp4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "NeoRazorX", "product": "facturascripts", "versions": [{"status": "affected", "version": "< 2025.8"}]}], "references": [{"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4", "name": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3", "name": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8", "name": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T20:49:05.731Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23476", "state": "PUBLISHED", "dateUpdated": "2026-02-03T15:33:51.348Z", "dateReserved": "2026-01-13T15:47:41.626Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T20:49:05.731Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*", "matchCriteriaId": "258F0619-F363-4A25-9BA2-18D2FA4C8576", "versionEndExcluding": "2025.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8."}, {"lang": "es", "value": "FacturaScripts es un software de planificaci\u00f3n de recursos empresariales y contabilidad de c\u00f3digo abierto. Antes de la versi\u00f3n 2025.8, exist\u00eda un fallo de XSS reflejado en FacturaScripts. El problema radica en c\u00f3mo se muestran los mensajes de error. Se utiliza el filtro |raw de Twig, lo que omite el escape de HTML. Al activar un error de base de datos (como pasar una cadena donde se espera un n\u00famero entero), el mensaje de error incluye la entrada y se renderiza sin sanitizaci\u00f3n. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2025.8."}], "id": "CVE-2026-23476", "lastModified": "2026-02-23T15:32:54.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:07.030", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:31:37.447149+00:00", "value": {"mitigation_remediation": ["Upgrade to FacturaScripts v2025.8, where the raw filter is no longer used for error messages", "Refactor any custom templates to replace Twig's | raw filter with safe rendering or explicit HTML escaping", "Audit error handling paths to ensure user input never appears unescaped in responses"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (potential session hijacking or defacement)"}, "threat_synthesis": {"affected_systems": "Any deployment of NeoRazorX FacturaScripts with a version prior to 2025.8 is vulnerable. No specific sub\u2011version is singled out; the issue affects the entire codebase that handles error rendering.", "description_and_impact": "FacturaScripts contains a reflected XSS flaw that surfaces when an attacker triggers a database error by supplying malicious input. The error message is rendered with the Twig | raw filter, which bypasses HTML escaping and allows the attacker to inject arbitrary JavaScript. This can lead to the execution of attacker\u2011controlled code in the victim\u2019s browser, potentially stealing session cookies, defacing the page, or conducting further attacks.", "risk_and_exploitability": "The CVSS score of 5.4 classifies the vulnerability as moderate. The EPSS score is below 1%, indicating a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote via web input; exploitation requires ability to supply crafted data to an endpoint that can trigger a database error and expose the error message to the browser. Successful exploitation would provide only client\u2011side effects, such as session hijacking or defacement, not direct code execution on the server."}}}}, "created": "2026-02-04T12:18:07.991160+00:00", "updated": "2026-04-18T00:45:32.228962+00:00", "vendors": ["facturascripts", "facturascripts$PRODUCT$facturascripts", "neorazorx", "neorazorx$PRODUCT$facturascripts"]}