CVE-2026-23476

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This reflected XSS vulnerability in FacturaScripts allows attackers to inject malicious scripts into error messages that get executed in users' browsers. It affects all FacturaScripts installations prior to version 2025.8 where users can trigger database errors. The vulnerability is exploitable by anyone who can access the application and trigger specific error conditions.

💻 Affected Systems

Products:
  • FacturaScripts
Versions: All versions prior to 2025.8
Operating Systems: All operating systems running FacturaScripts
Default Config Vulnerable: ⚠️ Yes
Notes: Requires ability to trigger database errors through user input that gets reflected in error messages.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the application interface for all users who view the error page.

🟠

Likely Case

Session hijacking, credential theft, or limited client-side attacks against users who trigger specific database errors.

🟢

If Mitigated

Minimal impact if proper Content Security Policy headers are implemented and users have script-blocking browser extensions.

🌐 Internet-Facing: MEDIUM - Exploitable remotely but requires user interaction to trigger specific error conditions.
🏢 Internal Only: MEDIUM - Same technical risk but limited to internal network attackers.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires finding and triggering specific database error conditions that reflect user input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.8

Vendor Advisory: https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4

Restart Required: Yes

Instructions:

1. Backup your FacturaScripts installation and database. 2. Download version 2025.8 or later from the official repository. 3. Replace the existing installation with the new version. 4. Restart your web server. 5. Verify the update by checking the version in the admin panel.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add a strict Content Security Policy header to prevent script execution from untrusted sources.

Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'

Input Validation Filter

all

Add input validation to prevent triggering database errors with malicious input.

Implement server-side validation for all user inputs before database operations

🧯 If You Can't Patch

  • Implement WAF rules to block XSS payloads in error messages
  • Disable detailed error messages in production environments

🔍 How to Verify

Check if Vulnerable:

Test by triggering database errors with malicious input and checking if it gets reflected unsanitized in error messages.

Check Version:

Check admin panel or view the core/version.txt file in the installation directory.

Verify Fix Applied:

After patching, attempt to trigger the same database errors and verify input is properly escaped in error messages.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database error patterns
  • Requests with XSS payloads in parameters
  • Multiple error 500 responses

Network Indicators:

  • HTTP requests containing script tags or javascript: URIs in parameters
  • Unusual POST/GET requests to error-handling endpoints

SIEM Query:

source="web_server_logs" AND (status=500 AND (uri="*error*" OR uri="*exception*") AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2026-23476
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This