VYPR

Facturascripts

by Neorazorx

Source repositories

CVEs (21)

  • CVE-2026-42879MedMay 27, 2026
    risk 0.41cvss 6.3epss 0.00

    FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as…

  • CVE-2026-27891HigMay 18, 2026
    risk 0.40cvss 7.2epss 0.01

    FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a…

  • CVE-2026-42877MedMay 27, 2026
    risk 0.35cvss 5.4epss 0.00

    FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents…

  • CVE-2026-27892MedMay 18, 2026
    risk 0.35cvss 6.5epss 0.00

    FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the…

  • CVE-2026-42878MedMay 27, 2026
    risk 0.27cvss 5.3epss 0.00

    FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting…

  • CVE-2026-32699MedMay 5, 2026
    risk 0.27cvss epss 0.00

    FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass…

  • CVE-2026-27964LowMay 18, 2026
    risk 0.18cvss 3.9epss 0.00

    FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without…

  • CVE-2026-25513Feb 4, 2026
    risk 0.00cvss epss 0.00

    FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort…

  • CVE-2026-25514Feb 4, 2026
    risk 0.00cvss epss 0.00

    FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the…

  • CVE-2026-23476Feb 2, 2026
    risk 0.00cvss epss 0.00

    FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a…

  • CVE-2026-23997Feb 2, 2026
    risk 0.00cvss epss 0.00

    FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without…

  • CVE-2025-69210Dec 30, 2025
    risk 0.00cvss epss 0.01

    FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable…

  • CVE-2022-2066Jun 13, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06.

  • CVE-2022-2065Jun 13, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06.

  • CVE-2022-2016Jun 7, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.1.

  • CVE-2022-1988Jun 3, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Generic in GitHub repository neorazorx/facturascripts prior to 2022.09.

  • CVE-2022-1715May 13, 2022
    risk 0.00cvss epss 0.01

    Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07.

  • CVE-2022-1682May 12, 2022
    risk 0.00cvss epss 0.01

    Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser

  • CVE-2022-1571May 4, 2022
    risk 0.00cvss epss 0.01

    Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...

  • CVE-2022-1514Apr 28, 2022
    risk 0.00cvss epss 0.01

    Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the…

Page 1 of 2