CVE-2026-23997 – A stored XSS vulnerability in FacturaScripts al... (How to Fix)

Q: What is the severity of CVE-2026-23997?

CVE-2026-23997 has a CVSS score of 8.0 (HIGH). A stored XSS vulnerability in FacturaScripts allows attackers to inject malicious JavaScript into the Observations field, which executes when administrators view the History section. This affects all users of FacturaScripts versions 2025.71 and earlier. The vulnerability enables session hijacking, data theft, and administrative account compromise.

📋 TL;DR

A stored XSS vulnerability in FacturaScripts allows attackers to inject malicious JavaScript into the Observations field, which executes when administrators view the History section. This affects all users of FacturaScripts versions 2025.71 and earlier. The vulnerability enables session hijacking, data theft, and administrative account compromise.

💻 Affected Systems

Products:

FacturaScripts

Versions: 2025.71 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using vulnerable versions are affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to complete system compromise, data exfiltration, and further malware deployment.

🟠

Likely Case

Session hijacking allowing unauthorized access to sensitive financial data and administrative functions.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (admin viewing history) but payload delivery is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.72 or later

Vendor Advisory: https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h

Restart Required: No

Instructions:

1. Backup your FacturaScripts installation and database. 2. Download the latest version from the official repository. 3. Replace the existing installation files with the updated version. 4. Clear browser caches and test functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize Observations field content

Modify PHP code to apply htmlspecialchars() or similar sanitization to Observations field before storage

🧯 If You Can't Patch

Restrict access to History view to only essential administrators
Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check FacturaScripts version in admin panel or by examining version files

Check Version:

Check the version.php file or admin dashboard for version information

Verify Fix Applied:

Test if HTML/JavaScript entered in Observations field is properly encoded when displayed in History view

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript patterns in Observations field entries
Multiple failed login attempts from admin accounts

Network Indicators:

Unexpected outbound connections from FacturaScripts server

SIEM Query:

source="facturascripts" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2026-23997

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h