CVE-2026-2677
Reflected XSS in A3factura 'name' Parameter Enables Code Execution
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolterskluwer | a3factura | 4.111.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2677 is a reflected Cross-Site Scripting (XSS) vulnerability found in the A3factura web platform, specifically in the 'name' parameter of the endpoint 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management'."}, {'type': 'paragraph', 'content': "This vulnerability allows an attacker to inject malicious code that is then executed in the victim's browser when they visit a crafted URL or interact with the vulnerable parameter."}, {'type': 'paragraph', 'content': 'It is classified under CWE-79, which involves improper neutralization of input during web page generation, leading to XSS attacks.'}, {'type': 'paragraph', 'content': 'The issue was fixed in A3factura version 4.114.0-rev.6.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploiting this vulnerability could allow an attacker to execute arbitrary code in the victim's browser."}, {'type': 'paragraph', 'content': 'This can lead to theft of sensitive information such as cookies, session tokens, or other private data accessible through the browser.'}, {'type': 'paragraph', 'content': 'It may also enable attackers to perform actions on behalf of the victim within the affected web application, potentially compromising user accounts or data.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the 'name' parameter of the A3factura web platform endpoint `a3factura-app.wolterskluwer.es/#/incomes/representatives-management`."}, {'type': 'paragraph', 'content': "To detect this vulnerability, you can test the 'name' parameter by injecting typical XSS payloads in HTTP requests to this endpoint and observe if the payload is reflected and executed in the browser."}, {'type': 'list_item', 'content': 'Use curl or similar tools to send requests with XSS payloads, for example: curl -G "https://a3factura-app.wolterskluwer.es/#/incomes/representatives-management" --data-urlencode "name=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': "Use browser developer tools or proxy tools like Burp Suite to intercept and modify requests to inject XSS payloads in the 'name' parameter and check for script execution."}, {'type': 'list_item', 'content': 'Automated vulnerability scanners that support XSS detection can be used against the affected endpoint and parameter.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The vulnerability was fixed in A3factura version 4.114.0-rev.6, released on 17/02/2026.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the A3factura software to version 4.114.0-rev.6 or later to apply the official fix.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, consider implementing web application firewall (WAF) rules to block or sanitize requests containing suspicious scripts in the 'name' parameter."}, {'type': 'paragraph', 'content': 'Educate users to be cautious about clicking on suspicious links that might exploit this reflected XSS vulnerability.'}] [1]