Moderate severityOSV Advisory· Published Feb 2, 2026· Updated Feb 3, 2026
FacturaScripts Affected by Reflected XSS
CVE-2026-23476
Description
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
facturascripts/facturascriptsPackagist | < 2025.81 | 2025.81 |
Affected products
2- Range: 2018.03, 2018.04, 2018.05, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-g6w2-q45f-xrp4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23476ghsaADVISORY
- github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3ghsax_refsource_MISCWEB
- github.com/NeoRazorX/facturascripts/releases/tag/v2025.8ghsax_refsource_MISCWEB
- github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.