CVE-2026-27964
Deferred Deferred - Pending Action
Reflected XSS in FacturaScripts via fsNick Cookie

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified session and forces a logout, the HTML containing the payload reaches the browser first. This lets the script execute immediately upon load, effectively beating the redirect. This issue has been fixed in version 2025.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-27964
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
facturascripts facturascripts to 2025.8 (exc)
facturascripts facturascripts 2025.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue found in FacturaScripts versions 2025.7 and earlier. It occurs because the application takes the value of the fsNick cookie parameter and directly inserts it into the HTML page without sanitizing or encoding it. As a result, malicious scripts can be injected and executed in the user's browser when the page loads.

Although the server detects the modified session and forces a logout, the malicious script executes before the redirect happens, allowing the attack to succeed.

This vulnerability was fixed in version 2025.8 of FacturaScripts.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to theft of sensitive information, such as cookies or session tokens, manipulation of the web page content, or performing actions on behalf of the user.

Since the malicious script runs before the user is logged out, it can effectively bypass some security measures and potentially compromise user data or session integrity.

Detection Guidance

This vulnerability involves the fsNick cookie parameter being reflected unsanitized into the HTML, leading to a Reflected Cross-Site Scripting (XSS) issue. Detection would involve monitoring HTTP responses for the presence of the fsNick cookie value reflected in the HTML content without proper encoding.

Since no specific detection commands or tools are provided, a general approach would be to use web proxy tools like Burp Suite or curl to inspect HTTP responses for the reflection of the fsNick cookie value.

  • Use curl to send a request with a crafted fsNick cookie and observe the response: curl -v --cookie "fsNick=<script>alert(1)</script>" http://target-url/
  • Use a web proxy (e.g., Burp Suite) to intercept requests and responses, and check if the fsNick cookie value is reflected in the HTML response without encoding.
Mitigation Strategies

The vulnerability has been fixed in FacturaScripts version 2025.8. The immediate mitigation step is to upgrade the software to version 2025.8 or later.

Until the upgrade can be performed, consider implementing web application firewall (WAF) rules to block or sanitize requests containing malicious scripts in the fsNick cookie.

Additionally, instruct users to clear their cookies to avoid carrying malicious fsNick cookie values.

Compliance Impact

The provided information does not specify how the Reflected Cross-Site Scripting (XSS) vulnerability in FacturaScripts impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27964. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart