PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27964 NeoRazorX CVE debrief

CVE-2026-27964 is a reflected cross-site scripting issue in FacturaScripts versions 2025.7 and earlier. The application reflects the fsNick cookie value into HTML without proper encoding, allowing attacker-controlled script content to reach the browser before the application rejects the modified session and logs the user out. The issue was fixed in version 2025.8.

Vendor
NeoRazorX
Product
facturascripts
CVSS
LOW 3.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

Organizations running FacturaScripts 2025.7 or earlier, especially teams that expose the application to end users, manage authenticated sessions, or rely on it for accounting and invoicing workflows. Administrators, application maintainers, and anyone integrating custom templates or middleware should review this immediately.

Technical summary

The issue is a reflected XSS in the fsNick cookie handling path. According to the advisory, the cookie value is rendered into the DOM without sanitization or output encoding. Although the server later rejects the altered session and forces logout, the HTML containing the payload reaches the browser first, which can allow immediate script execution on page load. NVD lists the weakness as CWE-79 and the vector as CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N with a low severity score of 3.9.

Defensive priority

Medium priority for exposed instances: the published CVSS is low, but reflected XSS can still enable session abuse, content injection, or user-targeted attacks. Patch promptly if you run affected versions, because the vulnerable reflection occurs before logout enforcement.

Recommended defensive actions

  • Upgrade FacturaScripts to version 2025.8 or later.
  • Review any custom templates, extensions, or middleware that could reproduce unsanitized cookie reflection.
  • Confirm that user-controlled values are HTML-encoded before being written into the DOM.
  • Validate that logout or session rejection flows do not expose reflected content prior to redirect or page replacement.
  • If you operate a public-facing instance, add testing and monitoring for unexpected script-bearing input in request and cookie handling paths.

Evidence notes

The supplied source corpus identifies FacturaScripts versions 2025.7 and prior as affected and states that the issue is fixed in 2025.8. The GitHub advisory and linked commit are the primary source references. NVD metadata marks the vulnerability status as Deferred and classifies the weakness as CWE-79. PublishedAt is 2026-05-18T22:16:38.703Z and ModifiedAt is 2026-05-19T14:44:43.127Z; those dates are used only as CVE timeline context.

Official resources

Public coordinated disclosure; no KEV listing was provided in the supplied corpus.