CVE-2026-23476: FacturaScripts is Vulnerable to Reflected XSS
(updated )
A reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it’s using Twig’s | raw filter which skips HTML escaping. When a database error is triggered (like passing a string where an integer is expected), the error message includes all input and gets rendered without sanitization.
Attackers can use this to phish credentials from other users since HttpOnly is set on cookies (so stealing cookies directly won’t work, but attackers can inject a fake login form).
CVSS 6.1 (Medium-High)
References
- github.com/NeoRazorX/facturascripts
- github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3
- github.com/NeoRazorX/facturascripts/releases/tag/v2025.8
- github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4
- github.com/advisories/GHSA-g6w2-q45f-xrp4
- nvd.nist.gov/vuln/detail/CVE-2026-23476
Code Behaviors & Features
Detect and mitigate CVE-2026-23476 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →