CVE-2026-42877

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.92

Description A stored Cross-Site Scripting (XSS) issue exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal within an invoice, order, or delivery note. The issue occurs because the referencia variable is injected into an HTML onclick attribute without proper JavaScript context escaping. When the modal HTML is inserted into the DOM via innerHTML, the browser decodes the characters, allowing the attacker to break out of the JavaScript string literal and execute code. This can lead to privilege escalation, where a low-privilege user executes scripts in an administrator's session to perform unauthorized actions, such as creating new admin users via the /EditUser endpoint or exfiltrating business data.

Recommendations Update to a version later than 2025.92. As a temporary workaround, restrict access to the warehouse module to trusted users only to prevent the creation of malicious product references. Avoid using the referencia field for products created by untrusted users until the system is updated.