CVE-2026-23476 Overview
CVE-2026-23476 is a reflected Cross-Site Scripting (XSS) vulnerability in FacturaScripts, an open-source enterprise resource planning (ERP) and accounting software. The vulnerability exists in how error messages are displayed within the application, specifically through improper use of Twig's | raw filter which bypasses HTML escaping. When a database error is triggered (such as passing a string where an integer is expected), the error message includes the user-supplied input and renders it without proper sanitization, allowing attackers to inject malicious scripts.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of an authenticated user's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the ERP system containing sensitive financial and business data.
Affected Products
- FacturaScripts versions prior to 2025.8
Discovery Timeline
- 2026-02-02 - CVE CVE-2026-23476 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23476
Vulnerability Analysis
This reflected XSS vulnerability stems from improper output encoding in the Twig templating engine used by FacturaScripts. The application utilizes Twig's | raw filter when rendering error messages, which explicitly instructs the template engine to skip HTML entity encoding. This design choice becomes dangerous when user-controlled input is reflected in error messages, such as when database validation errors occur.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker requires low privileges and must convince a user to interact with a crafted URL, but successful exploitation can impact resources beyond the vulnerable component's security scope.
Root Cause
The root cause is the unsafe use of Twig's | raw filter in the Core/View/Macro/Utils.html.twig template file when rendering log messages and error outputs. The | raw filter tells Twig to output content without any HTML escaping, meaning special characters like <, >, and " are not converted to their HTML entity equivalents (<, >, "). When database errors containing user input are displayed through this template, malicious HTML or JavaScript can be injected and executed in the victim's browser.
Attack Vector
The attack is network-based and exploits the error handling mechanism. An attacker can craft a malicious URL containing XSS payload in a parameter that expects a specific data type (e.g., an integer field). When a victim clicks this link:
- The application attempts to process the malicious input
- A database error is triggered due to type mismatch
- The error message, containing the unsanitized attacker input, is rendered using the vulnerable Twig template
- The XSS payload executes in the victim's browser within the context of the FacturaScripts session
The following patch demonstrates the fix applied in the Core/View/Macro/Utils.html.twig file:
{#
/**
* This file is part of FacturaScripts
- * Copyright (C) 2017-2024 Carlos Garcia Gomez <carlos@facturascripts.com>
+ * Copyright (C) 2017-2026 Carlos Garcia Gomez <carlos@facturascripts.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
Source: GitHub Commit Changes
The complete patch removes or properly escapes the dangerous | raw filter usage when rendering user-influenced content in error messages.
Detection Methods for CVE-2026-23476
Indicators of Compromise
- Unusual URL parameters containing JavaScript code or HTML tags in requests to FacturaScripts endpoints
- Web server logs showing requests with encoded XSS payloads (e.g., %3Cscript%3E, javascript:, onerror=)
- Database error messages in application logs that contain suspicious HTML or script content
- User reports of unexpected browser behavior or pop-ups when using FacturaScripts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in request parameters
- Monitor application logs for database errors containing HTML special characters or script tags
- Deploy browser-based Content Security Policy (CSP) violation reporting to detect XSS execution attempts
- Use SentinelOne Singularity XDR to correlate web application anomalies with endpoint behavior
Monitoring Recommendations
- Enable detailed logging for all error messages and review them for potential injection attempts
- Set up alerts for unusual patterns in URL parameters, particularly those containing encoded characters
- Monitor for CSP violations which may indicate attempted XSS exploitation
- Track user sessions for abnormal activity following visits to URLs with suspicious parameters
How to Mitigate CVE-2026-23476
Immediate Actions Required
- Upgrade FacturaScripts to version 2025.8 or later immediately
- Review web server access logs for evidence of exploitation attempts
- Implement Content Security Policy headers to mitigate XSS impact
- Ensure all user sessions are regenerated after applying the patch
Patch Information
The vulnerability is fixed in FacturaScripts version 2025.8. The patch modifies the Core/View/Macro/Utils.html.twig file to properly escape user-controlled content in error messages, preventing XSS execution. Organizations should update immediately by downloading the latest release from the official GitHub repository.
For detailed information about the vulnerability and fix, refer to the GitHub Security Advisory GHSA-g6w2-q45f-xrp4.
Workarounds
- Implement a Web Application Firewall (WAF) with XSS protection rules as a temporary measure
- Deploy strict Content Security Policy headers to prevent inline script execution
- Restrict access to FacturaScripts to trusted networks until patching is complete
- Consider temporarily disabling detailed error messages in production environments
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
