CVE-2026-6651 - Vulnerability Details

- erponline.xyz ERP Online Inventory Edit Item cross site scripting

Description

A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A reflected cross‑site scripting flaw was identified in the Inventory Edit Item Page of erponline.xyz ERP Online, exploitable via manipulation of the "Item Name" field. The vulnerability allows an attacker to inject arbitrary client‑side scripts into a victim’s browser session. An attacker can use the publicly available exploit, and the vulnerability can be triggered remotely through the web interface.

Affected Systems

The flaw exists in all releases of erponline.xyz ERP Online up to and including version 4.0.0. The specific component affected is the code handling the Inventory Edit Item Page. No later versions were listed in the provided data.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact; the EPSS score is not available, so the exact exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA KEV, but the vendor’s lack of response and the public release of exploit code increase the urgency. An attacker only needs to send a crafted web request to a victim with access to the edit form; no local privilege escalation or authentication bypass is required by the information provided.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

erponline.xyz

ERP Online

affected

Version	Status	Constraints
`4.0`	affected	—

No data.

Vendor Product Confidence Versions

Erponline.xyz

Erp Online

100%

Version	Status	Scheme	Platform
`4.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an official patch or update to the latest ER Online release once a vendor fix becomes available and monitor vendor announcements
Sanitize and encode the "Item Name" input before rendering it in the page; implement output encoding to prevent injection of script tags
Restrict the allowable characters in the "Item Name" field or remove the field from unauthenticated edit pages
Deploy a web application firewall or use built‑in security controls to detect and block suspicious script payloads

Generated by OpenCVE AI on April 20, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://olografix.org/acme/ERP_Online-POC.gif
https://vuldb.com/submit/793806
https://vuldb.com/vuln/358285
https://vuldb.com/vuln/358285/cti

History

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Erponline.xyz Erponline.xyz erp Online
Vendors & Products		Erponline.xyz Erponline.xyz erp Online

Mon, 20 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		erponline.xyz ERP Online Inventory Edit Item cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://olografix.org/acme/ERP_Online-POC.gif https://vuldb.com/submit/793806 https://vuldb.com/vuln/358285 https://vuldb.com/vuln/358285/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Erponline.xyz Erp Online

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T14:45:11.560Z

Updated: 2026-04-20T15:21:57.084Z

Reserved: 2026-04-20T05:55:13.524Z

Link: CVE-2026-6651

Vulnrichment

Updated: 2026-04-20T15:21:53.487Z

NVD

Status : Received

Published: 2026-04-20T16:16:55.810

Modified: 2026-04-20T16:16:55.810

Link: CVE-2026-6651

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T11:47:59Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object