FacturaScripts is an open-source ERP and accounting software widely used by small and medium enterprises for financial management. CVE-2026-23997 identifies a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, discovered in versions 2025.71 and earlier. The vulnerability arises from improper neutralization of input during web page generation in the Observations field of the History view. Specifically, historical data is rendered without proper HTML entity encoding, allowing malicious scripts embedded by an attacker to execute in the context of the administrator's browser when they view the history. This flaw enables attackers with limited privileges (requiring some level of authentication) to inject arbitrary JavaScript code that can hijack sessions, steal sensitive data, or perform actions on behalf of the administrator, impacting confidentiality, integrity, and availability. The CVSS 3.1 score is 8.0 (high), reflecting network attack vector, low attack complexity, required privileges, and user interaction. Although no known exploits are currently active in the wild, the vulnerability's nature and affected user roles make it a significant risk. The lack of a patch link indicates that remediation may still be pending or in progress. Organizations relying on FacturaScripts should monitor vendor updates closely and apply fixes promptly. Additionally, implementing strict input validation, output encoding, and limiting access to sensitive views can reduce exposure. This vulnerability highlights the importance of secure coding practices in ERP systems that handle critical financial data.

For European organizations, especially SMEs using FacturaScripts for accounting and ERP functions, this vulnerability poses a serious risk. Successful exploitation can lead to unauthorized execution of malicious scripts in administrator browsers, resulting in session hijacking, credential theft, unauthorized transactions, and potential lateral movement within internal networks. The compromise of financial data and administrative controls can cause significant operational disruption, financial loss, and reputational damage. Given the role of ERP systems in managing sensitive business processes, the impact extends beyond immediate data breaches to regulatory compliance issues under GDPR and other data protection laws. The requirement for some privileges and user interaction limits the attack surface but does not eliminate risk, particularly in environments with multiple users and shared access. The absence of known exploits in the wild provides a window for proactive defense, but the high severity score necessitates urgent attention. European organizations should consider this vulnerability critical to their cybersecurity posture, especially those in finance-heavy sectors or with high regulatory scrutiny.

1. Monitor NeoRazorX and FacturaScripts official channels for patches addressing CVE-2026-23997 and apply updates immediately upon release. 2. Until patches are available, restrict access to the History view and Observations field to only trusted administrators and limit the number of users with such privileges. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the Observations field. 4. Conduct code reviews and apply manual or automated input validation and output encoding to ensure all user-supplied data is properly sanitized before rendering. 5. Educate administrators and users about the risks of clicking on untrusted links or interacting with suspicious content within the ERP interface. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 7. Regularly audit logs and monitor for unusual activity that could indicate attempted exploitation. 8. Consider network segmentation to isolate ERP systems and reduce the impact of potential compromises. These measures, combined with timely patching, will significantly reduce the risk posed by this vulnerability.