FacturaScripts is an open-source ERP and accounting software widely used by small and medium enterprises. CVE-2026-23476 is a reflected cross-site scripting vulnerability identified in versions prior to 2025.8. The root cause is the use of Twig's | raw filter when rendering error messages generated by database input validation failures. Specifically, when a user inputs data that triggers a database error (e.g., submitting a string where an integer is expected), the error message includes this unsanitized input and is rendered directly in the web interface without proper HTML escaping. This improper neutralization of input (CWE-79) allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser session. The vulnerability requires the attacker to have low privileges (authenticated user) and to trick a user into triggering the error message (user interaction required). The CVSS 3.1 base score is 5.4 (medium severity), reflecting the network attack vector, low attack complexity, requirement for privileges and user interaction, and partial confidentiality and integrity impacts without availability impact. No known exploits have been reported in the wild as of the publication date. The vendor fixed the issue in version 2025.8 by properly sanitizing error message outputs. Organizations running vulnerable versions should upgrade promptly to mitigate risk.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions and data. Exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the FacturaScripts application. Given FacturaScripts' role in financial and accounting processes, such attacks could facilitate fraud or data leakage. Although availability is not impacted, the trustworthiness of financial data and user accounts could be compromised. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, especially in environments with many users or where social engineering is feasible. Organizations in Europe with extensive SME sectors relying on FacturaScripts for ERP and accounting functions are at heightened risk. The absence of known exploits suggests limited active targeting currently, but the vulnerability remains exploitable until patched.

The primary mitigation is to upgrade FacturaScripts to version 2025.8 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should implement strict input validation and sanitization at the application and database layers to prevent injection of malicious input that triggers error messages. Web application firewalls (WAFs) can be configured to detect and block suspicious input patterns that may exploit this XSS flaw. Educate users to avoid interacting with suspicious links or inputs that could trigger error messages. Limit user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege attackers. Regularly audit and monitor application logs for unusual error message patterns or signs of attempted exploitation. Finally, ensure secure coding practices are followed in customizations or plugins to avoid similar issues.