THREAT OPS › Threat News › [GHSA] GHSA-3x7p-v8hj-xh5m (low) — FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
[GHSA] GHSA-3x7p-v8hj-xh5m (low) — FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
GHSA-3x7p-v8hj-xh5m Severity: low CVE: CVE-2026-45710
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
## Summary
`WidgetVariante::renderVariantList` (`Core/Lib/Widget/WidgetVariante.php:298-330`) and `WidgetSubcuenta::renderSubaccountList` (`Core/Lib/Widget/WidgetSubcuenta.php:290-321`)
MITRE ATT&CK techniques
- JavaScriptT1059.007
Indicators of compromise
- CVE-2026-45710cve
- http://127.0.0.1:8081/`url
- http://127.0.0.1:8081/EditAgente?code=1url
Original source: https://github.com/advisories/GHSA-3x7p-v8hj-xh5m