CVE-2026-23997

HighPublic PoC

Published: 02 February 2026

Published

02 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23997 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Facturascripts Facturascripts. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

SI-15 mandates filtering information prior to output, directly addressing the lack of HTML entity encoding when rendering the Observations field in the History view to prevent JavaScript execution.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of inputs to the Observations field, preventing the storage of malicious JavaScript payloads by authenticated low-privilege users.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, reporting, and correction of the specific flaw in FacturaScripts versions 2025.71 and earlier, remediating the stored XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Stored XSS directly enables arbitrary JavaScript execution in the victim's browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML…

entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.

Deeper analysisAI

CVE-2026-23997 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting FacturaScripts, an open-source enterprise resource planning and accounting software. The issue impacts versions 2025.71 and earlier, specifically in the Observations field as rendered in the History view. There, historical data lacks proper HTML entity encoding, enabling injected scripts to execute.

An attacker with low privileges (PR:L), such as an authenticated user able to submit data to the Observations field, can store malicious JavaScript. Exploitation occurs over the network (AV:N) with low complexity (AC:L) when an administrator views the History, requiring user interaction (UI:R) to trigger. This results in arbitrary JavaScript execution in the administrator's browser within unchanged scope (S:U), yielding high impacts on confidentiality, integrity, and availability per the CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

The GitHub security advisory at https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h provides further details on the vulnerability.