CVE-2026-42877 NeoRazorX CVE debrief

Who should care

Organizations using FacturaScripts for accounting and invoicing, particularly those with multi-user environments where warehouse staff and accounting personnel have segregated access. Security teams monitoring for supply chain risks in open-source business applications.

Technical summary

The vulnerability exists in the product search modal functionality used when creating invoices, orders, and delivery notes. An attacker with warehouse module privileges can create a product containing a malicious reference string. When another user opens the product search modal in a sales or purchase document context, the unsanitized reference renders as executable JavaScript in the victim's browser. The affected components are Core/Lib/AjaxForms/SalesModalHTML.php for sales documents and Core/Lib/AjaxForms/PurchasesModalHTML.php for purchase documents. The CVSS 3.1 score of 5.4 reflects network attack vector, low attack complexity, required low privileges, required user interaction, changed scope, and low impacts to confidentiality and integrity with no availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade FacturaScripts to a version later than 2025.92 when available
• Review product reference input validation in Core/Lib/AjaxForms/SalesModalHTML.php and Core/Lib/AjaxForms/PurchasesModalHTML.php
• Implement Content Security Policy headers to mitigate XSS impact
• Audit existing product references for suspicious JavaScript patterns
• Restrict warehouse module access to trusted administrative users pending patch

Evidence notes

NVD record published 2026-05-27 with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. GitHub Security Advisory GHSA-r736-2678-fcrx cited as primary source. CPE criteria not yet populated in NVD feed.

Official resources