CVE-2026-23476

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.8

Description FacturaScripts is susceptible to a reflected cross-site scripting (XSS) issue stemming from improper handling of error messages. The application utilizes Twig's | raw filter, which bypasses HTML escaping. When a database error occurs—such as providing a string where an integer is expected—the resulting error message, including the input, is rendered without sanitization. This allows attackers to inject malicious scripts into the error message, potentially leading to credential phishing or other attacks. The vulnerability exists in the Core/View/Macro/Utils.html.twig file, specifically on line 27. The issue is triggered by sending crafted input through parameters like code in API endpoints such as /EditProducto?code=, /EditCliente?code=, /EditFacturaCliente?code=, and /EditProveedor?code=. The error logging occurs in Core/Base/DataBase.php around line 236. Attackers can leverage this to steal credentials by injecting a fake login form, read page data, or potentially execute keyloggers and bypass CSRF protections.

Recommendations Versions prior to 2025.8: Remove | raw from line 27 in Core/View/Macro/Utils.html.twig.