THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-3x7p-v8hj-xh5m (low) — FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`

[GHSA] GHSA-3x7p-v8hj-xh5m (low) — FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`

highgithub_advisoriesPublished 2026-07-14

GHSA-3x7p-v8hj-xh5m Severity: low CVE: CVE-2026-45710

FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`

## Summary

`WidgetVariante::renderVariantList` (`Core/Lib/Widget/WidgetVariante.php:298-330`) and `WidgetSubcuenta::renderSubaccountList` (`Core/Lib/Widget/WidgetSubcuenta.php:290-321`)

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-3x7p-v8hj-xh5m