CVE-2026-27964

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.8

Description A Reflected Cross-Site Scripting (XSS) issue exists where the application reflects the value of the fsNick cookie parameter directly into the HTML without sanitization or encoding into the Document Object Model (DOM). Although the server rejects the modified session and forces a logout, the HTML containing the payload reaches the browser first, allowing the script to execute immediately upon load and bypass the redirect.

Recommendations Update to version 2025.8. As a temporary workaround, restrict or sanitize the use of the fsNick cookie parameter to minimize the risk of exploitation.