Description
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can create or edit email templates to insert malicious JavaScript code that executes on the victim’s browser when the template is rendered. This client‑side XSS flaw originates from unsanitized template rendering in ERPNext’s email template engine.

Affected Systems

ERPNext releases up to and including version 15.103.1 are affected. Any installation that uses the built‑in email template editor and grants users the ability to create or edit templates is vulnerable.

Risk and Exploitability

Exploitation requires the attacker to have permission to edit email templates, typically meaning the attacker must have administrative or privileged access. No EPSS score is available, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. Because it is a client‑side XSS, it can lead to malicious script execution within the victim’s browser during email template rendering.

Generated by OpenCVE AI on May 5, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to a newer version that resolves the XSS issue
  • Restrict permission to create or edit email templates to trusted administrators only
  • Sanitize and escape any user‑supplied data rendered in the email templates, for example by using safe rendering helpers
  • If an immediate upgrade is impossible, disable the email template editor or remove unneeded fields to reduce the attack surface

Generated by OpenCVE AI on May 5, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in ERPNext Email Template Engine (v15.103.1 and Earlier)
Weaknesses CWE-79

Tue, 05 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Erpnext
Erpnext erpnext
Vendors & Products Erpnext
Erpnext erpnext

Tue, 05 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.
References

Subscriptions

Erpnext Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T16:16:44.521Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T17:17:04.800

Modified: 2026-05-05T17:17:04.800

Link: CVE-2026-38432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:00:13Z

Weaknesses