CVE-2026-23997

Name of the Vulnerable Software and Affected Versions FacturaScripts versions 2025.71 and earlier

Description FacturaScripts software contains a Stored Cross-Site Scripting (XSS) flaw within the Observations field in the History view. The application fails to properly encode HTML entities when rendering historical data. This allows an attacker to inject and execute arbitrary JavaScript code in the browser of administrators viewing the history. The flaw can be exploited by logging in as a regular user, creating or editing a Delivery Note, inserting malicious JavaScript into the Observations field, and then having an administrator view the History tab for that note. Successful exploitation can lead to full account takeover, allowing an attacker to gain complete control of the system, including access to sensitive financial data and user configurations. The attack requires some knowledge of the application's internal API structure, which can be obtained through browser developer tools.

Recommendations Versions prior to 2025.71 should be updated.