CVE-2026-23476
- Source
- https://cve.org/CVERecord?id=CVE-2026-23476
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23476.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23476
- Aliases
- Published
- 2026-02-02T20:49:05.731Z
- Modified
- 2026-03-01T02:56:23.752497Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- FacturaScripts Affected by Reflected XSS
- Details
-
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23476.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23476.json
- https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3
- https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8
- https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4
- https://nvd.nist.gov/vuln/detail/CVE-2026-23476
Affected packages
Git / github.com/neorazorx/facturascripts
Affected ranges
- Type
- GIT
- Repo
- https://github.com/neorazorx/facturascripts
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2018.*
2018.03
2018.04
2018.05
2018.11
c2024.*
c2024.92
v2018.*
v2018.12
v2018.13
v2018.14
v2018.15
v2018.16
v2020.*
v2020.01
v2020.2
v2020.3
v2020.4
v2020.51
v2020.61
v2020.71
v2020.80
Other
v2021
v2024
v2025
v2021.*
v2021.1
v2021.2
v2021.4
v2021.51
v2021.71
v2021.81
v2022.*
v2022.06
v2022.08
v2022.2
v2022.4
v2022.51
v2023.*
v2023.03
v2023.08
v2023.16
v2023.21
v2024.*
v2024.1
v2024.2
v2024.3
v2024.5
v2024.7
v2024.8
v2024.9
v2024.91
v2025.*
v2025.11
v2025.2
v2025.3
v2025.4
v2025.41
v2025.43
v2025.7
v2025.71