CVE-2026-2679
Received
Received - Intake
Reflected XSS in A3factura 'customerName' Parameter Enables Code Execution
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint,Β which could allow an attacker to execute arbitrary code in the victim's browser.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolterskluwer | a3factura | 4.111.2 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
