FacturaScripts is an open-source ERP and accounting software widely used by small and medium enterprises. In versions 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-23997) was identified in the Observations field of the History view. This vulnerability arises because the application fails to properly neutralize user-supplied input by not encoding HTML entities before rendering historical data. Consequently, an attacker with at least limited privileges can inject malicious JavaScript code into the Observations field. When an administrator or authorized user views the History page, the malicious script executes in their browser context. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed with administrative privileges. The vulnerability requires some user interaction (viewing the History page) and privileges to input data, but no known public exploits have been reported yet. The CVSS v3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring privileges and user interaction. The flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). No official patches were linked at the time of reporting, so mitigation relies on secure coding practices and access controls until updates are released.

For European organizations, this vulnerability poses a significant risk to the security of ERP and accounting data managed by FacturaScripts. Successful exploitation can lead to administrative account compromise, enabling attackers to manipulate financial records, exfiltrate sensitive business data, or disrupt operations. The breach of confidentiality and integrity in financial systems can result in regulatory non-compliance, financial losses, and reputational damage. Given the critical role of ERP systems in business processes, availability could also be impacted if attackers leverage the XSS to deploy further attacks such as ransomware or data destruction. Organizations with administrators frequently accessing the History view are particularly vulnerable. The lack of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score underscores the urgency of addressing this issue to prevent targeted attacks, especially in sectors with stringent data protection requirements like finance and manufacturing.

1. Apply official patches or updates from NeoRazorX as soon as they become available to address the XSS vulnerability directly. 2. Until patches are released, restrict access to the History view to only trusted and essential administrative users to minimize exposure. 3. Implement strict input validation on the Observations field to sanitize and reject potentially malicious input before storage. 4. Employ output encoding techniques, such as HTML entity encoding, when rendering user-supplied data in the History view to prevent script execution. 5. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the application. 6. Conduct regular security audits and penetration testing focused on web application input handling and output encoding. 7. Educate administrators and users about the risks of XSS and encourage cautious behavior when interacting with user-generated content. 8. Monitor logs for unusual activity related to the History view or unexpected script execution attempts. 9. Consider deploying web application firewalls (WAF) with rules targeting XSS attack patterns as an additional protective layer.