Description
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer.
This issue affects ERPNext: 16.16.0.
Published: 2026-06-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who can authenticate to ERPNext can store malicious HTML or JavaScript in a Customer record’s email_id or mobile_no fields, creating a stored client‑side XSS (CWE‑79) flaw. When a POS operator selects that customer, the stored payload is rendered unescaped in the point‑of‑sale interface, allowing client‑side code to execute in the operator’s browser. This can lead to session hijacking, credential theft or defacement of the POS interface but does not grant direct control of the underlying ERPNext server process.

Affected Systems

The flaw is present in ERPNext version 16.16.0 on all supported operating systems, including Linux, macOS and Windows.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, indicating moderate risk. The EPSS score is unavailable, and it is not listed in CISA’s KEV catalog, suggesting that widespread exploitation has not yet been observed. Because the flaw requires authenticated access, the attacker must have valid user credentials or privileges to modify customer data. Once authenticated, execution is straightforward via the POS front‑end.

Generated by OpenCVE AI on June 3, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of ERPNext where the POS template literals are properly escaped.
  • If an immediate upgrade is not possible, implement input validation or sanitization on the email_id and mobile_no fields to strip or escape HTML tags before storage.
  • Restrict POS operator access to customer records, or enforce read‑only permissions for the fields that can carry user‑supplied data.

Generated by OpenCVE AI on June 3, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0.
Title ERPNext 16.16.0 - Stored XSS in POS customer section via unescaped template literals
First Time appeared Frappe
Frappe erpnext
Weaknesses CWE-79
CPEs cpe:2.3:a:frappe:erpnext:16.16.0:*:linux:*:*:*:*:*
cpe:2.3:a:frappe:erpnext:16.16.0:*:macos:*:*:*:*:*
cpe:2.3:a:frappe:erpnext:16.16.0:*:windows:*:*:*:*:*
Vendors & Products Frappe
Frappe erpnext
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Frappe Erpnext
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-03T18:59:26.898Z

Reserved: 2026-04-30T15:23:30.711Z

Link: CVE-2026-42840

cve-icon Vulnrichment

Updated: 2026-06-03T18:59:01.056Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T19:16:38.190

Modified: 2026-06-04T15:23:52.253

Link: CVE-2026-42840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T21:30:32Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')