Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
A3factura Web Platform: Malicious Code Injection via Customer Name
CVE-2026-2679
Summary
The A3factura web platform's 'customerName' field at a specific endpoint can be exploited by an attacker to inject malicious code into a user's browser. This could potentially allow an attacker to access sensitive information or take control of the user's session. It's essential to update the A3factura platform to fix this issue to prevent unauthorized access and data theft.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wolterskluwer | a3factura | 4.111.2 | – |
Original title
Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint, which could allow an attacker ...
Original description
Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.
nvd CVSS3.1
6.1
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-a3fa... Third Party Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026