CVE-2026-42877: FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

May 7, 2026 (updated June 8, 2026)

A stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.

References

github.com/NeoRazorX/facturascripts/security/advisories/GHSA-r736-2678-fcrx
github.com/advisories/GHSA-r736-2678-fcrx
nvd.nist.gov/vuln/detail/CVE-2026-42877

Code Behaviors & Features

Detect and mitigate CVE-2026-42877 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →