Skip to main content

A3factura CVE-2026-2677

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-02-26 cve-coordination@incibe.es
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 26, 2026 - 13:16 nvd
MEDIUM 6.1

DescriptionCVE.org

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.

AnalysisAI

A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects A3Factura. Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Share

CVE-2026-2677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy