CVE-2026-27964 Overview
CVE-2026-27964 is a Reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in FacturaScripts, an open source accounting and invoicing application. Versions 2025.7 and prior reflect the fsNick cookie value directly into the HTML response without sanitization or output encoding. An attacker who can set or influence the fsNick cookie in a victim's browser can execute arbitrary JavaScript in the application context. The server rejects the modified session and forces a logout, but the HTML containing the payload reaches the browser before the redirect completes. The script executes immediately on page load. The issue is fixed in version 2025.8.
Critical Impact
Authenticated attackers with local access can execute arbitrary JavaScript in a victim's browser session, enabling theft of session data and limited integrity impact on the FacturaScripts UI.
Affected Products
- FacturaScripts versions 2025.7 and prior
- FacturaScripts open source accounting and invoicing platform
- Fixed in FacturaScripts 2025.8
Discovery Timeline
- 2026-05-18 - CVE-2026-27964 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-27964
Vulnerability Analysis
The vulnerability is a classic Reflected XSS issue rooted in unsafe handling of a client-controlled cookie. FacturaScripts reads the fsNick cookie value and injects it directly into the rendered DOM. The application does not apply HTML entity encoding or contextual output sanitization before emission. As a result, any JavaScript payload stored in the fsNick cookie executes when the browser parses the response.
The race condition between rendering and the server-side logout adds practical exploitability. While the backend identifies the tampered session and issues a redirect to log the user out, the malicious HTML payload is delivered in the same response. Browser parsing begins immediately, allowing the injected script to run before the redirect terminates the page context. This effectively neutralizes the server's defense-in-depth measure.
Root Cause
The root cause is missing output encoding on a user-influenced input. The fsNick cookie is treated as trusted server-side state, but its value originates from the client and can be modified. Rendering this value into HTML without applying functions equivalent to htmlspecialchars() or template auto-escaping allows raw markup to enter the DOM.
Attack Vector
Exploitation requires local access and user interaction. An attacker with the ability to set cookies in the victim's browser, through a sibling subdomain, a separate XSS primitive, or local malware, places a JavaScript payload into the fsNick cookie. When the victim loads any FacturaScripts page that reflects this cookie, the script executes in the application's origin. The attacker can read DOM content, exfiltrate session-related data, or perform limited UI manipulation before the logout redirect fires.
The vulnerability mechanism is documented in the FacturaScripts Security Advisory GHSA-gq5c-rw37-g46c and remediated in commit 9066e10.
Detection Methods for CVE-2026-27964
Indicators of Compromise
- Unexpected values in the fsNick cookie containing HTML tags, angle brackets, or JavaScript syntax such as <script>, onerror=, or javascript: URIs.
- Server logs showing forced logout events immediately following requests with abnormal fsNick cookie content.
- Browser console errors or outbound requests to attacker-controlled domains correlated with FacturaScripts page loads.
Detection Strategies
- Inspect HTTP request headers at the web application firewall or reverse proxy for fsNick cookie values containing markup or script syntax.
- Hunt FacturaScripts response bodies for occurrences of the fsNick value rendered alongside unescaped angle brackets.
- Review authentication logs for short-lived sessions ending in forced logout, which can indicate exploitation attempts against the rejection path.
Monitoring Recommendations
- Enable verbose web server logging that captures full cookie headers for FacturaScripts endpoints during the remediation window.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution attempts.
- Alert on anomalous outbound JavaScript fetches or fetch()/XMLHttpRequest traffic originating from authenticated FacturaScripts sessions.
How to Mitigate CVE-2026-27964
Immediate Actions Required
- Upgrade FacturaScripts to version 2025.8 or later, which contains the official fix.
- Invalidate active sessions and require re-authentication after upgrading to clear any cookies tampered with prior to the patch.
- Audit reverse proxy and WAF rules to block requests with HTML or script syntax in the fsNick cookie.
Patch Information
The maintainers addressed the issue in FacturaScripts 2025.8. The remediation is published in commit 9066e10 and tracked under GHSA-gq5c-rw37-g46c. The fix introduces output encoding for the fsNick cookie value before it is rendered into the DOM.
Workarounds
- If immediate patching is not possible, deploy a WAF rule that strips or rejects fsNick cookies containing characters outside an allowlist of alphanumerics.
- Enforce a strict Content Security Policy that disallows inline scripts to neutralize reflected payloads.
- Restrict FacturaScripts to trusted networks and require authenticated VPN access to reduce exposure to local cookie tampering vectors.
# Example WAF rule fragment (ModSecurity) to block markup in fsNick cookie
SecRule REQUEST_COOKIES:fsNick "@rx [<>\"'`]|script|javascript:" \
"id:1027964,phase:1,deny,status:400,log,\
msg:'CVE-2026-27964: Suspicious fsNick cookie content'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
