FacturaScripts is an open-source ERP and accounting platform widely used by small and medium enterprises. CVE-2026-23476 is a reflected Cross-Site Scripting (XSS) vulnerability identified in versions prior to 2025.8. The root cause lies in the way error messages are displayed when database errors occur, such as when a string is passed where an integer is expected. FacturaScripts uses the Twig templating engine, and specifically applies the | raw filter to error messages, which bypasses HTML escaping. Consequently, malicious input included in the error message is rendered directly in the browser, enabling an attacker to inject arbitrary JavaScript code. Exploitation requires an attacker to induce a database error by submitting crafted input, and a victim user must interact with the malicious link or input. The vulnerability affects confidentiality and integrity by allowing theft of session cookies, credentials, or execution of unauthorized actions in the context of the victim user. Availability is not impacted. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, requires low privileges and user interaction, with a scope change due to potential impact beyond the vulnerable component. No known exploits have been reported in the wild, but the vulnerability is publicly disclosed and fixed in version 2025.8. Organizations running older versions remain at risk.

For European organizations, especially SMEs relying on FacturaScripts for ERP and accounting, this vulnerability poses a risk of session hijacking, credential theft, and unauthorized actions performed under the victim's user context. This can lead to data breaches involving sensitive financial and business information, undermining confidentiality and integrity. While the vulnerability does not affect availability, the potential for lateral movement or privilege escalation exists if attackers leverage stolen credentials. The reflected XSS nature means phishing or social engineering could be used to trick users into triggering the exploit. Given the widespread use of FacturaScripts in Europe, particularly in countries with strong SME sectors, the impact could be significant in terms of financial data exposure and compliance risks under GDPR. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

Organizations should immediately upgrade FacturaScripts to version 2025.8 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement web application firewall (WAF) rules to detect and block suspicious inputs that could trigger database errors or contain script tags. Review and harden input validation and error handling mechanisms to ensure no user input is rendered without proper sanitization. Educate users about the risks of clicking on untrusted links or inputs that could trigger reflected XSS attacks. Monitor logs for unusual error message patterns or repeated database errors that may indicate exploitation attempts. Consider deploying Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of potential XSS. Regularly audit and update third-party components and dependencies to maintain security hygiene.