High severityOSV Advisory· Published Feb 2, 2026· Updated Feb 3, 2026

FacturaScripts has a Stored Cross-Site Scripting (XSS) in "Observations" field via History View

CVE-2026-23997

Description

FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
facturascripts/facturascriptsPackagist	<= 2025.71	—

Affected products

Neorazorx/FacturascriptsOSV
Range: 2018.03, 2018.04, 2018.05, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-4v7v-7v7r-3r5hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-23997ghsaADVISORY
github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5hghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000