CVE-2026-42877 Overview
CVE-2026-42877 is a stored Cross-Site Scripting (XSS) vulnerability in FacturaScripts, an open source accounting and invoicing platform. The flaw affects versions 2025.92 and earlier. It resides in the product search modal used by sales and purchases documents, specifically in Core/Lib/AjaxForms/SalesModalHTML.php and Core/Lib/AjaxForms/PurchasesModalHTML.php. An authenticated user with access to the warehouse module can store malicious JavaScript inside a product reference field. The payload then executes in the browser of any other user who opens the product search modal from an invoice, order, or delivery note. This vulnerability is categorized under [CWE-79].
Critical Impact
Authenticated attackers can hijack sessions, perform actions on behalf of other users, and exfiltrate accounting data through script execution in the FacturaScripts UI.
Affected Products
- FacturaScripts versions 2025.92 and earlier
- Core/Lib/AjaxForms/SalesModalHTML.php component
- Core/Lib/AjaxForms/PurchasesModalHTML.php component
Discovery Timeline
- 2026-05-27 - CVE-2026-42877 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42877
Vulnerability Analysis
The vulnerability stems from unsanitized output of product reference data in the FacturaScripts product search modal. When a user opens the product search dialog from a sales or purchase document, the application queries warehouse products and renders their reference fields directly into the HTML response. The rendering logic in SalesModalHTML.php and PurchasesModalHTML.php does not encode user-supplied reference values before injecting them into the DOM. Any JavaScript stored in the reference field executes in the context of the victim's authenticated session. Because invoices, orders, and delivery notes are routine workflows for accounting staff, the payload reaches users with broader privileges than the original attacker.
Root Cause
The root cause is missing output encoding in server-side template rendering. Product reference values originate from authenticated input in the warehouse module and are trusted by the modal renderer. The application stores the malicious string verbatim and emits it into HTML attributes or text nodes without applying HTML entity encoding or context-aware escaping. This is a classic stored XSS pattern described in [CWE-79].
Attack Vector
The attack requires an authenticated account with warehouse module permissions. The attacker creates or edits a product and embeds a JavaScript payload inside the reference field. The payload remains dormant in the database. When any other user — including administrators — opens an invoice, order, or delivery note and triggers the product search modal, the stored script executes in their browser. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N reflects network reachability, low attacker privileges, required user interaction, and a scope change into the victim's session context.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-r736-2678-fcrx for vendor-published technical details.
Detection Methods for CVE-2026-42877
Indicators of Compromise
- Product records whose referencia field contains HTML or JavaScript syntax such as <script>, onerror=, or javascript: URIs.
- Unexpected outbound HTTP requests from accounting users' browsers immediately after opening a product search modal.
- Audit log entries showing product creation or edits from warehouse accounts followed by session anomalies for other users.
Detection Strategies
- Inspect the FacturaScripts productos table for reference values containing angle brackets, event handlers, or encoded script payloads.
- Review web server access logs for POST requests to product creation or update endpoints originating from low-privilege warehouse accounts.
- Deploy a web application firewall rule that flags reflected script-like content in modal responses from /Core/Lib/AjaxForms/ endpoints.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture script execution attempts inside the FacturaScripts UI.
- Monitor browser console errors and CSP violation reports from accounting workstations.
- Alert on creation of new product records that contain non-alphanumeric characters in reference fields.
How to Mitigate CVE-2026-42877
Immediate Actions Required
- Upgrade FacturaScripts to a release later than 2025.92 that contains the fix referenced in the GitHub Security Advisory.
- Audit existing product reference fields and remove any entries containing HTML or JavaScript syntax.
- Restrict warehouse module permissions to trusted users until the patch is applied.
Patch Information
The maintainers published remediation guidance in the FacturaScripts GHSA-r736-2678-fcrx advisory. Apply the fixed version distributed through the official FacturaScripts repository. Verify the deployed version in the admin panel after upgrade.
Workarounds
- Apply a strict Content Security Policy that disallows inline scripts on FacturaScripts pages.
- Temporarily revoke warehouse module access for users who do not require product creation rights.
- Manually sanitize product reference inputs at the application or reverse-proxy layer to strip HTML special characters.
# Example CSP header to block inline script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
