Skip to main content

FacturaScripts CVE-2026-27964

LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 https://github.com/NeoRazorX/facturascripts GHSA-gq5c-rw37-g46c
3.9
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.9 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 20:01 vuln.today
Analysis Generated
May 07, 2026 - 20:01 vuln.today
CVE Published
May 07, 2026 - 19:34 nvd
LOW 3.9

DescriptionGitHub Advisory

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization.

Details

The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified session and forces a logout, the HTML containing the payload reaches the browser first. This lets the script execute immediately upon load, effectively beating the redirect.

PoC

  1. Log in to the application with any valid account.

<img width="2078" height="302" alt="image" src="https://github.com/user-attachments/assets/d8a9a779-44e0-4a3e-839f-0a031868fbd5" />

  1. Capture any the GET request .

<img width="1267" height="276" alt="image" src="https://github.com/user-attachments/assets/22e43f73-4f86-4cab-a074-7aba584a71ac" />

  1. Modify the value of "fsNick" with the following JavaScript:

<script>alert(window.origin)</script>

  1. Send the modified request.

<img width="1569" height="319" alt="image" src="https://github.com/user-attachments/assets/ade88db1-aadc-4c50-9e02-d09888067e98" />

  1. Result

<img width="1217" height="771" alt="image" src="https://github.com/user-attachments/assets/5858fe9f-127a-4845-b484-5a7ef4ae2cb4" />

Impact

The payload executes before the session ends, which could potentially allow for a single unauthorized action before the logout.

AnalysisAI

Reflected cross-site scripting in FacturaScripts allows authenticated attackers to execute arbitrary JavaScript via manipulation of the fsNick cookie parameter. The application renders the cookie value directly into the HTML without sanitization, permitting script execution before session termination and logout redirection. CVSS score is 3.9 with low impact due to login requirement and single-action execution window.

Technical ContextAI

FacturaScripts is a PHP-based enterprise resource planning (ERP) and accounting web application. The vulnerability resides in cookie handling for the fsNick parameter, which stores user nickname/display name. The affected component fails to apply HTML entity encoding or output escaping when reflecting the cookie value into the DOM. This is a classic Reflected XSS (CWE-79) where unsanitized user-controllable input is output to HTML context without proper encoding. The attack chain relies on the attacker's ability to modify their own session cookie (via browser developer tools or proxy interception) and trigger a GET request that renders the malicious payload. Although the server invalidates the tampered session and redirects to logout, the vulnerable HTML is delivered to the browser before the redirect takes effect, allowing inline script execution within the initial page load.

RemediationAI

Patch status is currently unconfirmed - no vendor-released fix version is identified in available data. Immediate remediation requires upgrading to a patched version when released by the FacturaScripts maintainers; monitor the GitHub advisory at https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-gq5c-rw37-g46c for fix availability. As a compensating control pending patch deployment, enforce strict cookie handling policies: configure the fsNick cookie with HttpOnly flag (prevents JavaScript modification), Secure flag (HTTPS-only transmission), and SameSite=Strict (blocks cross-site cookie transmission). Apply output encoding at the template layer where the fsNick value is rendered; use a templating engine's automatic escaping feature or explicitly HTML-entity-encode all cookie values before DOM insertion. These controls do not prevent the underlying vulnerability but raise the bar for exploitation and limit the attacker's ability to inject executable JavaScript.

Share

CVE-2026-27964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy