Multiple vulnerabilities in A3factura software
Posted date 18/02/2026
Identificador
INCIBE-2026-148
Importance
3 - Medium
Affected Resources
A3factura version 4.111.2-rev.1 is affected.
Description
INCIBE has coordinated the publication of 4 medium severity vulnerabilities, affecting A3factura firmware, online invoicing software for SMEs and freelancers.. The vulnerabilities were discovered by David Padilla Alvarado.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- From CVE-2026-2677 to CVE-2026-2677: 4.8 | CVSS:4.0/ AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79.
Solution
The fix has been deployed in production in version 4.114.0-rev.6, released on 17/02/2026.
Detail
Reflected Cross-Site Scripting (XSS) on the A3factura web platform, which could allow an attacker to execute arbitrary code in the victim's browser.
The list of assigned parameters and endpoints is as follows:
- CVE-2026-2677: parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management' endpoint .
- CVE-2026-2678: parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/customers' endpoint .
- CVE-2026-2679: parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint .
- CVE-2026-2680: parameter 'customerVATNumber', in 'a3factura-app.wolterskluwer.es/#/incomes/salesDeliveryNotes' endpoint .
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-2677 | Media | No | A3factura |
| CVE-2026-2678 | Media | No | A3factura |
| CVE-2026-2679 | Media | No | A3factura |
| CVE-2026-2680 | Media | No | A3factura |
References list
Etiquetas
