Medium severity5.4GHSA Advisory· Published May 27, 2026· Updated May 29, 2026
CVE-2026-42877
CVE-2026-42877
Description
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
facturascripts/facturascriptsPackagist | <= 2025.92 | — |
Affected products
2- Range: <= 2025.92
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.