Facturascripts
by Neorazorx
Source repositories
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42879 | Med | 0.41 | 6.3 | 0.00 | May 27, 2026 | FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as… | ||
| CVE-2026-27891 | Hig | 0.40 | 7.2 | 0.01 | May 18, 2026 | FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a… | ||
| CVE-2026-42877 | Med | 0.35 | 5.4 | 0.00 | May 27, 2026 | FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents… | ||
| CVE-2026-27892 | Med | 0.35 | 6.5 | 0.00 | May 18, 2026 | FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the… | ||
| CVE-2026-42878 | Med | 0.27 | 5.3 | 0.00 | May 27, 2026 | FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting… | ||
| CVE-2026-32699 | Med | 0.27 | — | 0.00 | May 5, 2026 | FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass… | ||
| CVE-2026-27964 | Low | 0.18 | 3.9 | 0.00 | May 18, 2026 | FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without… | ||
| CVE-2026-25513 | 0.00 | — | 0.00 | Feb 4, 2026 | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort… | |||
| CVE-2026-25514 | 0.00 | — | 0.00 | Feb 4, 2026 | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the… | |||
| CVE-2026-23476 | 0.00 | — | 0.00 | Feb 2, 2026 | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a… | |||
| CVE-2026-23997 | 0.00 | — | 0.00 | Feb 2, 2026 | FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without… | |||
| CVE-2025-69210 | 0.00 | — | 0.01 | Dec 30, 2025 | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable… | |||
| CVE-2022-2066 | 0.00 | — | 0.01 | Jun 13, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06. | |||
| CVE-2022-2065 | 0.00 | — | 0.01 | Jun 13, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06. | |||
| CVE-2022-2016 | 0.00 | — | 0.01 | Jun 7, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.1. | |||
| CVE-2022-1988 | 0.00 | — | 0.01 | Jun 3, 2022 | Cross-site Scripting (XSS) - Generic in GitHub repository neorazorx/facturascripts prior to 2022.09. | |||
| CVE-2022-1715 | 0.00 | — | 0.01 | May 13, 2022 | Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07. | |||
| CVE-2022-1682 | 0.00 | — | 0.01 | May 12, 2022 | Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser | |||
| CVE-2022-1571 | 0.00 | — | 0.01 | May 4, 2022 | Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ... | |||
| CVE-2022-1514 | 0.00 | — | 0.01 | Apr 28, 2022 | Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the… |
- risk 0.41cvss 6.3epss 0.00
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as…
- risk 0.40cvss 7.2epss 0.01
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a…
- risk 0.35cvss 5.4epss 0.00
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents…
- risk 0.35cvss 6.5epss 0.00
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the…
- risk 0.27cvss 5.3epss 0.00
FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting…
- risk 0.27cvss —epss 0.00
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass…
- risk 0.18cvss 3.9epss 0.00
FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without…
- CVE-2026-25513Feb 4, 2026risk 0.00cvss —epss 0.00
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort…
- CVE-2026-25514Feb 4, 2026risk 0.00cvss —epss 0.00
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the…
- CVE-2026-23476Feb 2, 2026risk 0.00cvss —epss 0.00
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a…
- CVE-2026-23997Feb 2, 2026risk 0.00cvss —epss 0.00
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without…
- CVE-2025-69210Dec 30, 2025risk 0.00cvss —epss 0.01
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable…
- CVE-2022-2066Jun 13, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06.
- CVE-2022-2065Jun 13, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06.
- CVE-2022-2016Jun 7, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.1.
- CVE-2022-1988Jun 3, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository neorazorx/facturascripts prior to 2022.09.
- CVE-2022-1715May 13, 2022risk 0.00cvss —epss 0.01
Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07.
- CVE-2022-1682May 12, 2022risk 0.00cvss —epss 0.01
Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser
- CVE-2022-1571May 4, 2022risk 0.00cvss —epss 0.01
Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...
- CVE-2022-1514Apr 28, 2022risk 0.00cvss —epss 0.01
Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the…
Page 1 of 2