CVE-2026-23997
HIGH
GHSA-4v7v-7v7r-3r5h
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.
Analysis
FacturaScripts versions 2025.71 and earlier contain a stored XSS vulnerability in the Observations field that executes arbitrary JavaScript when administrators view historical data. An authenticated attacker can inject malicious scripts that persist in the database and compromise admin sessions, with public exploit code already available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all FacturaScripts deployments and their versions; restrict access to the Observations field to administrative users only and disable it where possible. Within 7 days: Implement WAF rules to sanitize input to the Observations field and conduct user awareness training on phishing/social engineering. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today