Description
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.
Published: 2026-06-03
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated ERPNext user with Item record edit permissions can save arbitrary HTML or JavaScript into the item_name, description, or image fields of an Item. When that item is later added to a POS transaction, the content is rendered unescaped in the cart interface, allowing the attacker to inject scripts that execute in the browser context of any operator who performs the sale. This cross‑site scripting can be used to hijack operator sessions, deface the POS screen, or exfiltrate sensitive data available to the browser.

Affected Systems

The vulnerability exists only in ERPNext version 16.16.0 and affects installations on Linux, macOS, and Windows platforms. The product is distributed by the Frappe:ERPNext vendor.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Likely exploitation requires the attacker to have local authenticated access with edit rights on Item records; no public remote exploitation has been documented. The risk is primarily to operators using the POS interface, who could be compromised by the injected scripts. Given the moderate score and limited attack surface, continuous monitoring and timely patching are recommended.

Generated by OpenCVE AI on June 3, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ERPNext to a version that includes the fix for the POS cart XSS issue (once available).
  • Restrict Item record edit permissions to only highly trusted administrators and audit current entries for malicious content.
  • Implement a basic input sanitization routine or a web application firewall that blocks or escapes untrusted HTML before it reaches the POS cart rendering process.

Generated by OpenCVE AI on June 3, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0.
Title ERPNext 16.16.0 - Stored XSS in POS cart item rendering
First Time appeared Frappe
Frappe erpnext
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:erpnext:16.16.0:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:erpnext:16.16.0:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:erpnext:16.16.0:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe erpnext
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-03T19:09:12.657Z

Reserved: 2026-04-30T15:23:30.711Z

Link: CVE-2026-42839

cve-icon Vulnrichment

Updated: 2026-06-03T19:09:06.079Z

cve-icon NVD

Status : Received

Published: 2026-06-03T19:16:38.013

Modified: 2026-06-03T19:16:38.013

Link: CVE-2026-42839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T20:30:36Z

Weaknesses