CVE-2025-69210 LOW

CVE-2025-69210: FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

Vendor Neorazorx
Product facturascripts
Weakness CWE-79 · XSS
Published December 30, 2025
Last update December 30, 2025

CVSS base score

1.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

What the vulnerability does

01Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.

Key dates

02Disclosure timeline

December 30, 2025 CVE published
December 30, 2025 Record updated