CVE-2026-23476 Overview
CVE-2026-23476 is a reflected cross-site scripting (XSS) vulnerability in FacturaScripts, an open-source enterprise resource planning (ERP) and accounting application. The flaw exists in versions prior to 2025.8 and stems from the use of Twig's | raw filter when rendering error messages. When a database error is triggered, such as supplying a string where an integer is expected, the user-controlled input is echoed back into the response without HTML escaping. An attacker can craft a malicious link that executes arbitrary JavaScript in the victim's browser session [CWE-79].
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in a victim's browser, leading to session theft, defacement, or actions performed on behalf of the user.
Affected Products
- FacturaScripts versions prior to 2025.8
- Self-hosted FacturaScripts ERP/accounting instances
- Web deployments exposing the affected error rendering path
Discovery Timeline
- 2026-02-02 - CVE-2026-23476 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-23476
Vulnerability Analysis
The vulnerability resides in the error message rendering pipeline of FacturaScripts. The application uses the Twig templating engine to display server-side errors back to the user. The template applies the | raw filter to the error message string, instructing Twig to bypass its default HTML auto-escaping behavior. When an unhandled exception or database error occurs, the message frequently contains the offending user input verbatim. This combination causes any HTML or JavaScript supplied by the attacker to be rendered as live markup in the browser.
Exploitation requires low privileges (an authenticated session) and user interaction, since the victim must visit an attacker-crafted URL. Because the scope is changed, the injected script executes in the FacturaScripts origin and can access session cookies and DOM data accessible to the user.
Root Cause
The root cause is improper output encoding in the Twig template responsible for rendering error feedback. The | raw filter disables contextual escaping, and the application does not sanitize the error string before passing it to the template. Database driver exceptions, such as type mismatch errors, embed the raw user-supplied value into the message, providing a direct injection channel.
Attack Vector
The attack vector is network-based and reflected. An attacker constructs a URL targeting a FacturaScripts endpoint where a parameter is type-coerced into an integer (for example, a record identifier). The attacker supplies a string payload containing HTML or JavaScript. The backend triggers a database error, and the resulting error page renders the payload unescaped. When a logged-in user clicks the link, the script runs in their session context.
The vulnerability is documented in the GitHub Security Advisory GHSA-g6w2-q45f-xrp4 and resolved in commit 2afd98c. No public proof-of-concept code is available.
Detection Methods for CVE-2026-23476
Indicators of Compromise
- HTTP requests to FacturaScripts endpoints containing <script>, onerror=, onload=, or encoded JavaScript payloads in query parameters or form fields
- Server-side application logs showing database type-mismatch or casting errors correlated with unusual parameter values
- Outbound requests from authenticated user browsers to attacker-controlled domains shortly after visiting a FacturaScripts URL
Detection Strategies
- Inspect web server and application logs for requests where integer-typed parameters receive non-numeric strings containing HTML metacharacters
- Deploy a web application firewall (WAF) rule set that flags reflected XSS patterns targeting FacturaScripts URL paths
- Review Twig template rendering errors and correlate them with the originating HTTP request to identify injection attempts
Monitoring Recommendations
- Enable a strict Content Security Policy (CSP) and alert on report-uri or report-to violations originating from FacturaScripts hosts
- Monitor session cookie usage for anomalies such as concurrent geographic logins after suspected XSS delivery
- Track FacturaScripts version inventory and alert on any host still running a release prior to 2025.8
How to Mitigate CVE-2026-23476
Immediate Actions Required
- Upgrade all FacturaScripts deployments to version 2025.8 or later, as released in the v2025.8 GitHub release
- Review web access logs for prior exploitation attempts containing script tags or event handlers in request parameters
- Rotate session tokens and credentials for users who may have followed suspicious links to the application
Patch Information
The issue is fixed in FacturaScripts 2025.8. The patch is applied in commit 2afd98cecd26c5f8357e0e321d86063ad1012fc3, which removes the unsafe | raw rendering of error messages so that Twig's default HTML escaping is enforced. Administrators should pull the release tag and redeploy following the project's standard upgrade procedure.
Workarounds
- Restrict FacturaScripts access to trusted networks or VPN users until the upgrade is applied
- Deploy a WAF rule that blocks requests containing HTML or JavaScript metacharacters in numeric parameters
- Apply a strict Content Security Policy that disallows inline scripts to reduce the impact of a successful injection
# Upgrade FacturaScripts to the patched release
git fetch --tags
git checkout v2025.8
composer install --no-dev --optimize-autoloader
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
